FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 196003
Description
WAN load balance (volume based) and redundant Internet connections.

Solution
1. Connecting ISPs to the FortiGate

Connect the ISP devices to the FortiGate so that the ISP which is to be used for most traffic is connected to WAN1 and the other connects to WAN2.

2. Deleting security policies and routes that use WAN1 or WAN2

An interface cannot be added to the WAN link interface if it is already used in the FortiGate’s configuration, so any policies or routes that use either WAN1 or WAN2 must first be deleted.

ppatel_FD38759_tn_FD38759-1.jpg

ppatel_FD38759_tn_FD38759-2.jpg

3. Creating a WAN link interface

Go to Network > WAN LLB.

Set WAN Load Balancing to Volume. This will distribute traffic based on volume of traffic measured in bytes.

Create new > Add WAN1 and WAN2 to the list of Interface Members, Status Enable, and set it to use the Gateway IP provided by the ISP.

Select Load Balance Algorithm > Volume > set Weight for WAN1 and WAN2.

The weight settings will cause 60% of traffic to use WAN1, with the remaining 40% using WAN2.

ppatel_FD38759_tn_FD38759-3.jpg

4. Creating a WAN status check (Health Check).

ppatel_FD38759_tn_FD38759-4.jpg

5.  Creating a default route for the WAN link interface

Go to Network > Static Routes and create a new default route. Set Device to the WAN link interface.

ppatel_FD38759_tn_FD38759-5.jpg

6. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects >  IPv4 Policy and create a new policy.

Set Incoming Interface to the internal network’s interface and set Outgoing Interface to the WAN link interface. Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log select All Sessions.

ppatel_FD38759_tn_FD38759-6.jpg

7. Results

Browse the Internet using a PC on the internal network and then go to  FortiView > All Sessions.

Ensure that the Dst Interface column is visible in the traffic log. If it is not shown, right-click on the title row and select Dst Interface from the dropdown menu. Scroll to the bottom of the menu and select Apply.

The log shows traffic flowing through both WAN1(mgmt) and WAN2(ppp1).

ppatel_FD38759_tn_FD38759-7.jpg

Disconnect the WAN1 port, continue to browse the Internet, and refresh the traffic log. All traffic is now flowing through WAN2(ppp1), until WAN1 is reconnected.

ppatel_FD38759_tn_FD38759-8.jpg

Note: In example, mgmt interface is considered as WAN1 and ppp1 interface as WAN2.

Contributors