Fortinet black logo

Handbook

Dual Internet connections

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:251151
Download PDF

Dual Internet connections

Dual internet connections, also referred to as dual WAN or redundant Internet connections, refers to using two FortiGate interfaces to connect to the Internet. You can use dual Internet connections in several ways:

  • Redundant interfaces: If one interface goes down, the second interface automatically becomes the main Internet connection.
  • Load sharing: This ensures better throughput.
  • Use a combination of redundancy and load sharing.

Redundant interfaces

Redundant interfaces ensure that if your Internet access is no longer available through a certain port, the FortiGate uses an alternate port to connect to the Internet.

In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you must configure the following settings:

  • Configure a link health monitor to determine when the primary interface (WAN1) is down and when the connection returns.
  • Configure a default route for each interface.
  • Configure security policies to allow traffic through each interface to the internal network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the connectivity of the device’s interface. You can detect possible routing loops with link health monitors. You can configure the FortiGate to ping a gateway at regular intervals to ensure it's online and working. When the gateway isn't accessible, that interface is marked as down. After this configuration, when this interface on the FortiGate can't connect to the next router, the FortiGate brings down the interface.

Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller interval and smaller number of lost pings results in faster detection, but creates more traffic on your network. You may also want to log CPU and memory usage, as a network outage will cause your CPU activity to spike.

The link health monitor supports both IPv4 and IPv6. For IPv6, it supports the ping6 protocol only.

To add a link health monitor (IPv4) - CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv4

set srcint <interface-name>

set server <server-IP-address>

set protocol {ping tcp-echo udp-echo http twamp}

set gateway-ip <gateway-IP-address>

set source-ip <IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set ha-priority <priority>

set update-cascade-interface {enable | disable}

set update-static-route {enable | disable}

set status enable

next

end

To add a link health monitor (IPv6) - CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv6

set srcint <interface-name>

set server <server-IP-address>

set protocol ping6

set gateway-ip6 <gateway-IP-address>

set source-ip6 <IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set ha-priority <priority>

set update-cascade-interface {enable | disable}

set update-static-route {enable | disable}

set status enable

next

end

Routing

You must configure a default route for each interface and indicate which route is preferred by specifying the distance. The lower distance is declared active and placed higher in the routing table.

When you have dual WAN interfaces that are configured to provide failover, you might not be able to connect to the backup WAN interface because the FortiGate may not route traffic (even responses) out of the backup interface. The FortiGate performs a reverse path lookup to prevent spoofed traffic. If an entry can't be found in the routing table that sends the return traffic out the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination

    For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

    For an IPv6 route, enter a subnet of ::/0.

    Interface

    Select the primary connection. For example, wan1.

    Gateway Address

    Enter the gateway address.

    Administrative Distance

    Leave as the default of 10.

  4. Repeat these steps to set Interface to wan2 and Administrative Distance to 20.
To configure the routing of the two interfaces - CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device WAN1

set gateway <gateway_address>

set distance 10

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device WAN2

set gateway <gateway_address>

set distance 20

next

end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect to users.

Load sharing

Load sharing allows you to use both connections to the Internet at the same time, but doesn't provide failover support. When configuring load sharing, you need to make sure that routing is configured for both external ports (for example, WAN1 and WAN2) have static routes with the same distance and priority.

Link redundancy and load sharing

In this scenario, both links are available to distribute Internet traffic over both links. Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. Configuration is similar to the Redundant interfaces configuration, with the main difference being that the configured routes should have equal distance settings.

This means both routes will remain active in the routing table. To make one interface the preferred interface, use a default policy route to indicate the interface that is preferred for accessing the Internet. If traffic matches the security policy, the policy overrides all entries in the routing table, including connected routes. You may need to add specific policy routes that override these default policy routes.

To redirect traffic over the secondary interface, create policy routes to direct some traffic onto it rather than the primary interface. When adding the policy route, only define the outgoing interface and leave the gateway blank. This ensures that the policy route won't be active when the link is down.

SSL VPN and WAN link load balancing

You can set virtual WAN link interfaces as destination interfaces in firewall policies for WAN link load balancing, when SSL VPN is the source interface. For example, you can log in to a FortiGate using an SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

You can set a virtual WAN link interface as a destination interface in a firewall policy where SSL VPN is the source interface, using either the FortiGate GUI (FortiOS 5.6.1 and later) or CLI.

To configure a virtual WAN link interface - CLI:

config firewall policy

edit <policy ID>

set dstintf virtual-wan-link

next

end

Dual Internet connections

Dual internet connections, also referred to as dual WAN or redundant Internet connections, refers to using two FortiGate interfaces to connect to the Internet. You can use dual Internet connections in several ways:

  • Redundant interfaces: If one interface goes down, the second interface automatically becomes the main Internet connection.
  • Load sharing: This ensures better throughput.
  • Use a combination of redundancy and load sharing.

Redundant interfaces

Redundant interfaces ensure that if your Internet access is no longer available through a certain port, the FortiGate uses an alternate port to connect to the Internet.

In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you must configure the following settings:

  • Configure a link health monitor to determine when the primary interface (WAN1) is down and when the connection returns.
  • Configure a default route for each interface.
  • Configure security policies to allow traffic through each interface to the internal network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the connectivity of the device’s interface. You can detect possible routing loops with link health monitors. You can configure the FortiGate to ping a gateway at regular intervals to ensure it's online and working. When the gateway isn't accessible, that interface is marked as down. After this configuration, when this interface on the FortiGate can't connect to the next router, the FortiGate brings down the interface.

Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller interval and smaller number of lost pings results in faster detection, but creates more traffic on your network. You may also want to log CPU and memory usage, as a network outage will cause your CPU activity to spike.

The link health monitor supports both IPv4 and IPv6. For IPv6, it supports the ping6 protocol only.

To add a link health monitor (IPv4) - CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv4

set srcint <interface-name>

set server <server-IP-address>

set protocol {ping tcp-echo udp-echo http twamp}

set gateway-ip <gateway-IP-address>

set source-ip <IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set ha-priority <priority>

set update-cascade-interface {enable | disable}

set update-static-route {enable | disable}

set status enable

next

end

To add a link health monitor (IPv6) - CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv6

set srcint <interface-name>

set server <server-IP-address>

set protocol ping6

set gateway-ip6 <gateway-IP-address>

set source-ip6 <IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set ha-priority <priority>

set update-cascade-interface {enable | disable}

set update-static-route {enable | disable}

set status enable

next

end

Routing

You must configure a default route for each interface and indicate which route is preferred by specifying the distance. The lower distance is declared active and placed higher in the routing table.

When you have dual WAN interfaces that are configured to provide failover, you might not be able to connect to the backup WAN interface because the FortiGate may not route traffic (even responses) out of the backup interface. The FortiGate performs a reverse path lookup to prevent spoofed traffic. If an entry can't be found in the routing table that sends the return traffic out the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
  3. Destination

    For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

    For an IPv6 route, enter a subnet of ::/0.

    Interface

    Select the primary connection. For example, wan1.

    Gateway Address

    Enter the gateway address.

    Administrative Distance

    Leave as the default of 10.

  4. Repeat these steps to set Interface to wan2 and Administrative Distance to 20.
To configure the routing of the two interfaces - CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device WAN1

set gateway <gateway_address>

set distance 10

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device WAN2

set gateway <gateway_address>

set distance 20

next

end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect to users.

Load sharing

Load sharing allows you to use both connections to the Internet at the same time, but doesn't provide failover support. When configuring load sharing, you need to make sure that routing is configured for both external ports (for example, WAN1 and WAN2) have static routes with the same distance and priority.

Link redundancy and load sharing

In this scenario, both links are available to distribute Internet traffic over both links. Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. Configuration is similar to the Redundant interfaces configuration, with the main difference being that the configured routes should have equal distance settings.

This means both routes will remain active in the routing table. To make one interface the preferred interface, use a default policy route to indicate the interface that is preferred for accessing the Internet. If traffic matches the security policy, the policy overrides all entries in the routing table, including connected routes. You may need to add specific policy routes that override these default policy routes.

To redirect traffic over the secondary interface, create policy routes to direct some traffic onto it rather than the primary interface. When adding the policy route, only define the outgoing interface and leave the gateway blank. This ensures that the policy route won't be active when the link is down.

SSL VPN and WAN link load balancing

You can set virtual WAN link interfaces as destination interfaces in firewall policies for WAN link load balancing, when SSL VPN is the source interface. For example, you can log in to a FortiGate using an SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

You can set a virtual WAN link interface as a destination interface in a firewall policy where SSL VPN is the source interface, using either the FortiGate GUI (FortiOS 5.6.1 and later) or CLI.

To configure a virtual WAN link interface - CLI:

config firewall policy

edit <policy ID>

set dstintf virtual-wan-link

next

end