Set Up SD-WAN with Two Internet Links¶
SD-WAN (Software-Defined WAN) is FortiGate's smart multi-WAN feature. With two or more internet connections, SD-WAN automatically:
- Load-balances outbound traffic across links.
- Fails over instantly when one link degrades (latency, packet loss, jitter, or down).
- Steers specific apps over specific links (e.g. SaaS over fiber, backups over LTE).
Setting up SD-WAN replaces the older "two default routes + link monitor" approach.
Before You Start¶
- Two WAN interfaces configured with their own IPs and gateways.
- A clear idea of your SLA targets (e.g. "VoIP must use the link with < 20ms latency").
- A target to ping for health checks (e.g.
8.8.8.8or your own monitoring host).
Steps¶
1. Create the SD-WAN Zone¶
- Network → SD-WAN → SD-WAN Zones → + Create New Zone.
- Fill in:
- Name — e.g.
wan-zone. - Interface Members — pick
wan1andwan2. - Per member, set Gateway IP if it differs from the interface config.
- Name — e.g.
- OK.
2. Convert existing routes to use the zone¶
Replace your old default routes on wan1 and wan2 with a single default route on wan-zone:
- Network → Static Routes → delete old defaults on individual WANs.
- + Create New → Destination
0.0.0.0/0, Interfacewan-zone. Save.
3. Update firewall policies¶
Replace policies referencing wan1 / wan2 with policies on wan-zone. Or use the zone in addition.
📸 Screenshot needed
Network → SD-WAN → SD-WAN Zones view showing the zone with both WAN members listed.
Verify¶
get system sdwan service
diagnose sys sdwan service
Shows both members active. Send traffic; both links should carry it (per the load-balance algorithm).
Common Issues¶
- All traffic uses only one WAN. Load-balance algorithm = "auto" picks one. Change to per-session for true balancing, or define SD-WAN Rules for steering.
- Both WANs show "down" in SD-WAN. Health check failing on both. See Create Performance SLAs.
- Policies break after adding zone. Firewall policies still reference
wan1directly. Migrate towan-zone.