Helpful ReplyHot!How to Direct Specific Traffic to Specific WAN?

New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/27 01:33:03
  • Status: offline
2018/02/27 02:48:03 (permalink) 5.6

How to Direct Specific Traffic to Specific WAN?

Hello Everyone,
We have FortiGate 140D with OS 5.6 . We are currently depending on WAN1 port to access the internet which is microwave link. I have a new 4G device, which i would like to connect to FortiGate WAN2 but use it only for windows update downloads. I tried to connect the 4G link to WAN2 port, then suddenly all internet is disconnected from the users !!

How can I use WAN2 just only for update of software?? even if its down, i don't want this traffic to go to WAN1.
Best Regards,
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/27 04:07:10
  • Status: offline
Re: How to Direct Specific Traffic to Specific WAN? 2018/02/27 04:48:53 (permalink)
I think you should be able to achieve this using policy route.
Make 1 policy using the windows update servers as destination then config WAN2 as the gateway.
After that create a second policy and have so traffic use WAN1 as the gateway.
Policy route is processed by sequence so I think this should work.

Good luck
Bronze Member
  • Total Posts : 24
  • Scores: 2
  • Reward points: 0
  • Joined: 2006/04/05 05:14:47
  • Location: France
  • Status: offline
Re: How to Direct Specific Traffic to Specific WAN? 2018/02/27 04:54:32 (permalink)
you can use SD Wan and a SD Wan rules with the "Microsoft-MS.Update" internet services
more details for sdwan :
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/27 01:33:03
  • Status: offline
Re: How to Direct Specific Traffic to Specific WAN? 2018/02/27 05:45:47 (permalink)
Thank you S1nDr3am, Loic for the advice. I will go through it and see what happens.
Best Regards,
post edited by alzaiem - 2018/02/27 07:16:45
Jeff Roback
Bronze Member
  • Total Posts : 40
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/18 16:48:33
  • Status: offline
Re: How to Direct Specific Traffic to Specific WAN? 2018/05/21 16:12:05 (permalink) ☄ Helpfulby quangvu37 2018/12/19 06:18:02
This is a surprisingly complex topic.  Here's a KB article I put together for our internal staff on the subject that explains this from a conceptual standpoint:
Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections
General strategy for setup:
Static default route for each wan interface
    same distance for each routedifferent priority for each route (lower priority wins)
    2. Link health monitor for each route. 
    • This is what allows the route to be removed from the routing table if the link is unusable. 
    • This route gets removed from routing table if the IP's given here aren't reachable.
 3. Policy Route for traffic that should use the secondary interface (the one Higher priority)
  • MUST leave default gateway as
  • This allows it to be removed if that interface goes down.
Routes specify where to send traffic. 
This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.
the VPN appears as a virtual interface just like an internet connection.
Routing Notes:
Each Policy route is inspected.  As soon as one matches it wins and traffic goes that way
  • If a policy route refers to an interface that is down (via the link health monitor) then it will be skipped.
  • If no policy route matches, then inspect each Static route, going from the lowest priority soon as traffic matches, it goes that way. 
    Note:  If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"
    Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to passby Source address, dest address, or port
  • What inspection should be done on that traffic AV, Website Blocking
  • NAT of the source IP address (sNAT)Changing the private 10.x.x.x address to a public IP address. 
    DIRECTION of traffic from the fortigate's perspective is important to understand:
    In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).
    When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.
  • No settings are needed for WAN to LAN for this traffic, even though most of the traffic is flowing from the Internet to the user, it is considered LAN to WAN traffic.
  • Note this uses the sNAT indicated in the WAN to LAN policy to change the source address of the traffic to appear to be coming from a public adress. the IP Pool selected in the policy does this 
    When someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.
  • Even though most of the traffic will be going from the email server (LAN) to the client (WAN), this is considered a WAN to LAN flow, since it was initiated on the WAN.
  • In this case, the DESTINATION IP is changed ( the public IP used by the client on the itnternet is mapped to the private IP of the email server using a Virtual IP.)this is controlled by the VIrtual IP. 
    Servers that also initiate traffic to the internet and  need to use a specific public IP address  (Like email servers sending SMTP messages out) also need to be set up like clients, so they will also have their own LAN to WAN policy rule with a dedicated IP address (Using a IP Pool).
  • #5
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/25 08:04:53
    • Status: offline
    Re: How to Direct Specific Traffic to Specific WAN? 2020/06/10 04:42:40 (permalink)
    1. Login to the SonicWall management GUI.
    2.  Click MANAGE on the top bar ,navigate to Network and the click Routing.
    3. Click Add to create a Static Route. In the pop-up window there are several options available to you, all of which are important to understand.
    • The Source field refers to where the traffic will be coming from. In the below example we want to apply this Route to any traffic coming from any Interface with the LAN designation.
    • The Destination field refers to where the traffic is going. In the below example we select Any since we can't list all the destinations, instead we're specifying by Protocol.
    • The Service field refers to the type of traffic this Route should apply to. We've selected HTTP, so any packets going over Port 80 which ALSO come from a LAN Zone Interface/Subnet will be subject to this Route.
    • The Gateway field is where the traffic will be sent to. In this instance we have our Backup ISP on the X2 Interface and want to use it for this HTTP traffic, so we select the X2 Default Gateway.
    • The Interface field is what Interface the Gateway we've chosen exists on. In this case we're using our ISP on X2, so we choose X2.

       NOTE:  The Metric field refers to what weight this Route should have, with lower being a higher priority. In this example we've chosen 10.
    Platinum Member
    • Total Posts : 678
    • Scores: 42
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: How to Direct Specific Traffic to Specific WAN? 2020/06/10 07:10:01 (permalink)
    yeah that is the way to do without using sdwan :)
    If you could use sdwan it is much easier:
    -  enable sdwan and add all wan to it.
    -  create some sdwan rule for ms update (like written before)
    -  create a second rule for all other traffic (needed because the rest would match the loadblanacer rule without it and that would cause it to use both wan - you don't need it if you do not mind other traffic using wan2 too and only want to force ms update to use only wan2)
    - create a policy for traffic to the internet that has sdwan as destination interface
    - create a default route with sdwan as interface
    Optionally: create some health check on sd-wan to have failover if one link is gone.
    Then ms update will use wan2 as long as it works and failover to wan1 if wan2 is gone or offline.
    Jump to:
    © 2020 APG vNext Commercial Version 5.5