Home

How to Create Inbound and Outbound One-to-One Static NAT Rules in FortiGate

This article demonstrates the process of setting up multiple Internet connections for failover using a link-monitor, without implementing load-balancing.

To configure multiple Internet connections on a FortiGate device without load-balancing, you will primarily focus on setting up the interfaces and routing policies to ensure that one connection serves as a backup for the other. This setup ensures that if the primary connection fails, traffic will automatically switch to the secondary connection without distributing the load between them. Below are detailed steps to achieve this configuration.

Step 1: Physical Connection Setup

  1. Connect Your Interfaces:
    • Connect your primary Internet connection to one WAN port (e.g., wan1).
    • Connect your secondary Internet connection to another WAN port (e.g., wan2).

Step 2: Configure Interfaces

  1. Access FortiGate GUI:

    • Log in to your FortiGate firewall through its web interface.

  2. Navigate to Network Interfaces:

    • Go to Network > Interfaces.

  3. Configure Primary WAN Interface (wan1):

    • Select wan1.
    • Set the appropriate IP address, subnet mask, and gateway for your primary ISP.
    • Enable the interface and configure any necessary settings (like DNS).

  4. Configure Secondary WAN Interface (wan2):

    • Select wan2.
    • Set the appropriate IP address, subnet mask, and gateway for your secondary ISP.
    • Enable this interface as well but do not set it as a default route yet.

Step 3: Configure Static Routes

  1. Create Route for Primary Connection:

    • Navigate to Network > Static Routes.
    • Click on “Create New”.
      • Set Destination as 0.0.0.0/0 (default route).
      • Set Device as wan1.
      • Enter the Gateway IP provided by your primary ISP.
      • Set Distance (Administrative Distance) lower than that of the secondary route (default is usually 10).

  2. Create Route for Secondary Connection:

    • Click on “Create New” again.
      • Set Destination as 0.0.0.0/0.
      • Set Device as wan2.
      • Enter the Gateway IP provided by your secondary ISP.
      • Set Distance higher than that of the primary route (for example, 20).

Step 4: Configure Health Check (Optional)

While not strictly necessary for redundancy without load balancing, configuring health checks can help ensure that failover occurs smoothly:

  1. Navigate to Network > SD-WAN:

    • Even though you’re not using load balancing, you can still use SD-WAN features for monitoring.

  2. Enable Health Checks:

    • Create health checks for both WAN interfaces under their respective settings.
    • Specify parameters like ping or HTTP requests to check connectivity.

Step 5: Firewall Policies

  1. Set Up Firewall Policies:

    • Go to Policy & Objects > IPv4 Policy.
    • Create a policy allowing traffic from internal networks out through wan1.

  2. Ensure Proper Logging and Monitoring:

    • Enable logging on these policies so you can monitor which interface is being used.

Step 6: Testing Failover

After completing these configurations:

  1. Disconnect or disable the primary WAN connection (wan1).
  2. Verify that traffic begins routing through wan2.
  3. Reconnect or enable wan1 and check if it resumes handling traffic.

This configuration allows you to maintain two separate internet connections where one acts solely as a backup without any load balancing between them.

Authoritative Sources Used

  • Fortinet Documentation
  • FortiGate Cookbook
  • Networking Fundamentals by Cisco Press