Redundant Internet Connections

4/16/2017 Redundant Internet connections Fortinet Cookbook
FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path
FORTIGATE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS 5.4.2 / FORTIOS 5.4.3 / GETTING STARTED
Redundant Internet connections
Posted on July 13, 2016 by Kayla Robinson
Share this post:
In this example, you will create a WAN link interface that provides your FortiGate unit with
redundant Internet connections from two Internet service providers (ISPs). The WAN link interface
combines these two connections into a single interface.
This example includes weighted load balancing so that most of your Internet trafៜ�c is handled by one
ISP.
Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 + | 5.4
Watch the video
http://cookbook.fortinet.com/redundantinternetconnections54/ 1/8
1. Connecting your ISPs to the FortiGate
Connect your ISP devices to your FortiGate so that the ISP you wish
to use for most trafៜ�c is connected to WAN1 and the other connects
to WAN2.
2. Deleting security policies and routes that use WAN1 or
WAN2
You will not be able to add an interface to the WAN link interface if it is already used in the
FortiGate’s conៜ�guration, so you must delete any security policies or routes that use either WAN1
or WAN2. Trafៜ�c will not be able to reach WAN1 or WAN2 through the FortiGate after you delete
the existing policies.
Many FortiGate models include a default Internet access policy that uses WAN1. This policy must
also be deleted.
Go to Policy & Objects > IPv4 Policy and delete any policies that use
WAN1 or WAN2.
Go to Network > Static Routes and delete any routes that use WAN1
or WAN2.
3. Creating a WAN link interface
Go to Network > WAN LLB (WAN Link Load Balancing).
Set the Interface State to Enable.
Under WAN LLB, select Create New to add an interface.
Add wan1 and enter the Gateway IP provided by your primary ISP. Do

the same for wan2, but this time use the Gateway IP provided by
your secondary ISP.
Under Load Balancing Algorithm, select Volume as the type. This

will allow you to prioritize the wan1 interface so that more trafៜ�c
uses it. For the weight, set wan1 to 3 and set wan2 to 1.
The weight settings will cause 75% of trafៜ�c to use WAN1, with the
remaining 25% using WAN2.
To help analyze the effectiveness of the algorithm selected, the WAN

Links Usage graph shows you the volume and bandwidth usage.
4. Configuring Health Check (optional)
You can optionally conៜ�gure Health Check to verify the health and status of the links that make up
the virtual WAN link. Health Check is only available via the CLI. Go to Dashboard > CLI and enter
the following commands:
config system virtualwanlink
set faildetect [enable | disable]
set failalertinterfaces (available only if faildetect is enabled)
config healthcheck
edit [health check name]
set server <string>
set protocol [ping | tcpecho | udpecho | http | twamp ]
...
set timeout <integer>
set failtime [110]
set recoverytime [110]
set updatecascadeinterface [enable | disable]
set updatestaticroute [enable | disable ]
end
end
5. Creating a default route for the WAN link interface
Go to Network > Static Routes and create a new default route.
Set Device to the WAN link interface.
6. Allowing traffic from the internal network to the WAN link
interface
Go to Policy & Objects > IPv4 and create a new policy.
Set Incoming Interface to your internal network’s interface and set

Outgoing Interface to the WAN link interface.
Turn on NAT.
Scroll down to view the Logging Options. To view the results later,
turn on Log Allowed Trafៜ�c and select All Sessions.
7. Results
Browse the Internet using a computer on the internal network and

then go to FortiView > All Sessions.
Make sure that the Destination Interface column is shown. If it’s not,

right-click on the top menu row to add it to the menu.
The log shows trafៜ�c ៙�owing through both WAN1 and WAN2.
Go to Network > Interfaces and disable the wan1 port. Then browse
the Internet from the internal network.
Go back to FortiView > All Sessions and the results should show
that trafៜ�c is only ៙�owing through wan2, until you enable WAN1
again.
For further reading, check out Redundant Internet

installation in the FortiOS 5.4 Handbook.
About Latest Posts
Kayla Robinson
Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New
Media team. With a Bachelor's degree from Carleton, and a graduate certiៜ�cate in
Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Was this helpful?  Yes  No
 installation, interfaces
Leave a Reply
10 Comments on "Redundant Internet connections"
Connect with:
Powered by OneAll Social Login
Notify of new follow-up comments Email ›
Join the discussion
Rob Aronson
Is there a good way to migrate existing connections to wan link load balancing? We
have dual ISPs with inbound and outbound policies, routes, vpns and multiple VIPs.
I’d love to be able to reduce my redundant policies. We have to create two policies
every time we change the ៜ�rewall. Its extra work and introduces opportunities for
errors.
Thanks
Model(s) 200d
Firmware 5.4.4
 REPLY  April 13, 2017 3:06 pm
Merong Mahawangsa IV
how about adding Tunnel in WAN-LLB? We have try but the WAN-LLB interface
seems down. Fortigate 1200D v5.4.4
 REPLY  April 9, 2017 4:38 am 
bdickie
It is our understanding that this conៜ�guration is not supported for FortiOS

5.4. It is for FortiOS 5.6.
 REPLY  April 11, 2017 10:16 am
Victoria Martin
I’m glad you were able to get things sorted out.
 REPLY  January 31, 2017 11:18 am
jppataki
I’ve tried but my WAN connections don’t appear when I try to Create New under
WAN LLB (and all the other appear!!!), of course I can change to other but somehow
feels odd and i wolud like to understand what’s going on. And I’m sure deleted
every IP V4 policy and all the static rules (and made a reboot just to be sure).
What else can it be?
 REPLY  January 28, 2017 12:57 pm 
Victoria Martin
Hello,
When you go to Network > Interfaces, check the Ref. column located on
the far right side of the interface list. This column lists any references to
the interface in your conៜ�guration. If the number is 1 or higher, click on it
to see where your conៜ�guration references the interface.
If this number is 0, then you have successfully removed all references – if

this is the case, I would recommend contacting Support about the issue.
 REPLY  January 31, 2017 9:56 am
Neemias Caetano
I’m sorry, allow another curiosity / question.

Some other way to monitor the link / availability, without the need to enable LLB?
 REPLY  September 29, 2016 2:16 am
Neemias Caetano
If there is 01(one) with two WAN interface’s VLAN, this rule does not apply, right? I
have not found documentation contemplating this kind of situation / scenario.
You could talk about?
 REPLY  September 29, 2016 2:16 am 
Kerrie Newton
Hello Neemias,
Just to clarify, are you attempting to create a WAN LLB using VLANs? I
haven’t tested it but doing a quick setup I was able to create a VLAN and
select it as an interface for WAN LLB.
Should you attempt that and need further assistance troubleshooting feel
free to contact Fortinet Support:
How to work with Fortinet Support
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
Correct to using a different Load Balancing Algorthim you will still need to
enable WAN LLB. afterwards you’d be able to monitor the links via
FortiView.
Regards,
Kerrie
 REPLY  February 2, 2017 2:47 pm 
Neemias Caetano
Hi,
Thanks for the answer.
As for the VLAN interface, it does not appear in WLLB.
I believe, not bear it.
tks,
 REPLY  February 2, 2017 3:11 pm
CONTACT | DOCUMENTATION LIBRARY | CLI PORTAL | FUSE | VIDEOS | SUPPORT | CORPORATE | LEGAL
© 2017 Fortinet

Redundant Internet Connections

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Redundant Internet Connections

Uploaded by

Copyright:

Available Formats

4/16/2017 Redundant Internet connections ­ Fortinet Cookbook

Share this post:

Find this recipe for other FortiOS versions

5.2.0 | 5.2.1 + | 5.4

Watch the video

Go to Network > WAN LLB (WAN Link Load Balancing).

Set the Interface State to Enable.

Under WAN LLB, select Create New to add an interface.

Add wan1 and enter the Gateway IP provided by your primary ISP. Do

Under Load Balancing Algorithm, select Volume as the type. This

To help analyze the effectiveness of the algorithm selected, the WAN

Go to Network > Static Routes and create a new default route.

Set Device to the WAN link interface.

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set

Browse the Internet using a computer on the internal network and

Make sure that the Destination Interface column is shown. If it’s not,

For further reading, check out Redundant Internet

Technical Writer at Fortinet

Was this helpful?  Yes  No

10 Comments on "Redundant Internet connections"

Notify of new follow-up comments Email ›

 REPLY  April 13, 2017 3:06 pm

 REPLY  April 9, 2017 4:38 am 

It is our understanding that this conៜ�guration is not supported for FortiOS

 REPLY  April 11, 2017 10:16 am

I’m glad you were able to get things sorted out.

 REPLY  January 31, 2017 11:18 am

 REPLY  January 28, 2017 12:57 pm 

If this number is 0, then you have successfully removed all references – if

 REPLY  January 31, 2017 9:56 am

I’m sorry, allow another curiosity / question.

 REPLY  September 29, 2016 2:16 am

 REPLY  September 29, 2016 2:16 am 

 REPLY  February 2, 2017 2:47 pm 

 REPLY  February 2, 2017 3:11 pm

You might also like

4/16/2017 Redundant Internet connections Fortinet Cookbook