Fortigate 60D—How to Setup SD-WAN & WAN Failover

Introduction:

In environments where you want to guarantee the highest uptime, you'll want to have two separate ISPs to ensure that your network never faces any downtime. Although you could argue that you'd want hardware as well as SP (Service Provider) redundancy, this setup will get you 80% of the way there. The Fortinet Fortigate 60D has two WAN links specifically for this purpose.

Prerequisites:

In order to perform the following steps, you must be in possession of a FortiGate 60D with an active subscriptions to Fortinet's signature database.

FortiGate 60D—How to enable IPS Scanning | Pilot Fiber

Caveats:

As per Fortinet:
"You will not be able to add any interface to the SD-WAN interface that is already used in the FortiGate's configuration. So, in this scenario, you must delete any security policies that use either WAN1 or WAN2, such as the default Internet access policy. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies."

Quick tip: if you have any security policies established that reference WAN1 and/or WAN2, you'll want to redirect those policies to unused ports so as not to delete them.

Step 1: Physical hookup

Connect each respective ISP to either one of the WAN links on the back of the Fortigate 60D labelled WAN1 and WAN2.

Step 2: Creating the SD-WAN Interface

Head to the configuration page and click on Network and then SD-WAN. Set the Interface State to "Enable" (it will be colored green).

Make sure to add the two WAN interfaces so that they're listed below the SD-WAN status.

Step 3: Enabling the Load Balancing Algorithm

Go to Load Balance Algorithm and select the Volume Tab. You are then able to change the weight metric to alter how much traffic you want going over each WAN link. The weight is a percentage that equals 100, so you can decide how much traffic is right for your network to traverse each link.

Step 4: Configure SD-WAN Health Check

To ensure that WAN failover occurs properly, you will have to setup a health check that pings a remote host for connectivity. If either of the WAN links drops a certain # of ICMP requests, then the Fortigate will revert all traffic to the working WAN link seamlessly. Your users or CTO will never suspect a thing.

To do so, click on the Network and then Edit SD-WAN Status Check and configure it to ping a remote host.

Quick tip: It's generally recommended not to use a DNS server (like Google's 8.8.8.8) to ping as they rate-limit ICMP requests and that can cause a false failover.

Step 5: Configuring all local traffic to get routed to the SD-WAN interface

Head to Policy & Objects and the IPv4 and click "Create new policy".

Set the Incoming Interface to physical interface your using for your LAN and set the Outgoing Interface to the SD-WAN interface that you created.

Make sure to enable NAT and apply any necessary security profiles.

To ensure things are working properly, enable Log Allowed Trafic for All Sessions. You can now re-enable any security policies that you pointed at other interfaces from the start.

Now that everything is hunky-dorey, you can view the SD-WAN statistics by going to Network, SD-WAN and SD-WAN usage.

If you have some downtime, you can test that the failover works by unplugging one of ISP hand-offs going to the WAN link to see it automatically switch. Once you plug it back in, it will automatically switch back.

More from Tutorials