Redundant Internet with SD-WAN on a FortiNet

Internet connections aren’t always are robust as we’d like them to be. Sometimes they just stop working for no good reason, or the speed will drop to something less then optimal. Over the years I’ve seen many setups where a secondary internet connection is installed to act as a backup if the primary fails. This works well enough, but you end up paying for an internet connection that almost never gets used.

In this post I’ll detail how I went from an Active/Passive setup to Active/Active to load balance traffic across multiple ISP’s and provide redundancy in the event that one of the links should fail. In my case I was in the unfortunate position to be configuring this remotely in an office over 6,000Km away and had to do some trickery with moving routes around to avoid cutting myself off. So I’ll leave those bits out for now and assume you have LAN side access.

Note: you may need to enable SD-WAN Interface under System > Feature Visibility before beginning.

1. Connect to your ISP devices

Connect WAN1 and WAN2 to respective ISP devices (NTU / modem / etc). Ideally WAN1 would be for your primary link, but this isn’t critical.

2. Remove any existing config that references these interfaces

Any config that references WAN1 or WAN2 must be removed before they can be used as SD-WAN members. This includes any policies and routes associated with these interfaces. Instead of removing these policies and having to recreate them again later you can change the interface used and change it back after the SD-WAN interface is up. Obviously if you’re configuring this from the WAN side, you’ll drop connection at this point so you’ll need to keep that in mind.

3. Create the SD-WAN interface

Go to Network > SD-WAN and set Status to Enable.

Under SD-WAN Interface Members, select + and select WAN and set the default gateway. Now add WAN2 and set the default gateway for that interface.

You can verify the SD-WAN interface has been created by going to Network > Interfaces. You can expand the SD-WAN interface to confirm both WAN1 and WAN2 have been added.

4. Load Balancing

Now to balance traffic over the two links. Go to Network > SD-WAN Rules and edit the rule named sd-wan.

Select Volume form the Load Balancing Algorithm and set your weighting as appropriate giving the faster / more stable link the greater share.

5. Static Route

Go to Network > Static Routes and create a new route.

In the Destination field, select Subnet, and leave the destination IP address and subnet mask as

Select the SD-WAN interface from the dropdown list and ensure the Status is set to Enable.

6. Security Policies

Recreate your security policies and set the Outgoing interface as the SD-WAN interface. If during step 2 you changed any mention of WAN1/WAN2 to use a different interface it’s just a case of changing that interface back to SD-WAN now.

7. Health Monitoring

Now to monitor the status of the links.

Go to Network > Performance SLA and create a new performance SLA. Set the Protocol to Ping and enter two server addresses to use for testing. Add both AD-WAN member interfaces to the Participants field.


Congratulations, you are now running SD-WAN. You can check bandwidth, volume, and sessions by going to Network > SD-WAN. Go to Monitor > SD-WAN to see info on sessions, and bit rates. To test failover you can disable either one of the interfaces participating in the SD-WAN or simply unplug one of the WAN cables.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s