Redundant Internet with SD-WAN

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Modifying existing policies

You will not be able to add any interface to the SD-WAN interface that is already used in the FortiGate’s configuration. So, in this scenario, you must delete any security policies that use either WAN1 or WAN2, such as the default Internet access policy. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

It is also advisable to check for any other references to WAN1 or WAN2 and make the necessary modifications.

If you have many policies that reference WAN1 and/or WAN2, a simple method is to redirect those policies to unused ports, rather than delete them, to avoid having to recreate each policy from scratch. Obviously, you should redirect those same policies back to the SD-WAN interface once it is created.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

3. Creating the SD-WAN interface

Go to Network > SD-WAN.

Set the Interface State to Enable.

Under SD-WAN, add the two WAN interfaces.

Under Load Balancing Algorithm, select Volume and prioritize the WAN1 interface to serve more traffic.

In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balanced the weight 75% to 25% in favor of WAN1.

To help visualize the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the Bandwidth and Volume usage.

4. Configuring SD-WAN Status Check

You can optionally configure SD-WAN Status Check to verify the health and status of the links that make up the virtual WAN link.

This configuration uses the Ping protocol to verify the status of the SD-WAN.

Go to Network > SD-WAN Status Check and (if you wish to use Google) enter the values shown here.

5. Allowing traffic from the internal network to the SD-WAN interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the SD-WAN interface.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions to allow you to verify the results later.

At this point, you should recover any policies that may have been redirected or deleted in Step 2 and point them to the SD-WAN interface.

6. Results

Browse the Internet using a computer on the internal network and then go to Network > SD-WAN > SD-WAN Usage.

You can see the bandwidth and volume of traffic traversing the SD-WAN interfaces.

Verify that Status Check is working by viewing the table at Network > SD-WAN > SD-WAN Status Check.

Go to Monitor > SD-WAN Monitor to view the number of sessions for each interface, bit rate, and more.

7. Testing failover

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1.

Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. Note the Upload/Download of each WAN interface.

Furthermore, go to Network > SD-WAN > SD-WAN Usage to see that bandwidth and volume have diverted entirely through WAN2.

Users on the internal network should have no knowledge of the WAN1 failure. Likewise, if you are using the WAN1 gateway IP to connect to the admin dashboard, nothing should change from your perspective. It will appear as though you are still connecting through WAN1.

Reconnect the WAN1 Ethernet cable when you have verified successful failover.