InternalNetwork

LAN

FortiGate

WAN 2WAN 1

Internet

ISP 1 ISP 2

1. Configuring connections to the two ISPs

2. Adding security policies

3. Configuring failover detection and spillover load balancing

4. Results

Using two ISPs for redundant Internet connectionsThis example describes how to improve the reliability of a network connection using two ISPs. The example includes the configuration of equal cost multi-path load balancing, which efficiently distributes sessions to both Internet connections without overloading either connection.

Configuring connections to the two ISPsGo to System > Network > Interfaces and configure the wan1 and wan2 connections. Make sure that both use DHCP as the Addressing mode and have Retrieve default gateway from server and Override internal DNS enabled.

Adding security policiesGo to Policy > Policy > Policy.

Create a security policy for the primary interface connecting to the ISPs and the internal network.

Create a security policy for each interface connecting to the ISPs and the internal network.

Configuring failover detection and spillover load balancingGo to Router > Static > Settings.

Create two new Dead Gateway Detection entries.

Set the Ping Interval and Failover Threshold to a smaller value for a more immediate reaction to a connection going down.

Go to Router > Static > Settings and set the ECMP Load Balancing Method to Spillover.

The Spillover Threshold value is calculated in kbps (kilobits per second). However, the bandwidth on interfaces is calculated in kBps (kilo Bytes per second).

For wan1 interface, Spillover Threshold = 100 kbps = 100000 bps. Assume that 1000 bps is equal to 1024 bps. Thus, 100000 bps = 102400 bps = 102400/8 Bps = 12800 Bps.

ResultsGo to Log & Report > Traffic Log > Forward Traffic to see network traffic from different source IP addresses flowing through both wan1 and wan2.

Disconnect the wan1 port on the FortiGate unit to see that all traffic automatically goes through the wan2 port unit, until wan1 is available again.