Agreed.  The entire purpose of SD-WAN is to make the two interfaces appear as one to make it smoother and easier to do things like balancing/sharing/etc. No reason to set it up if you're not going to use the functionality it provides.

Thanks for the answer. Is this CLI only? I have an 60E and I don't see any GUI for that.

The easiest way to do it is right from the plain old routing setup in the GUI. Set both interfaces as active routes, but have heavily mismatched cost/weight settings.  Everything will default to the primary link as path of least resistance until something happens to not let traffic pass. 

 

It does need to be in CLI. You do need the priority and/or distance to be different as mentioned above. But, you also need a link-monitor defined which is CLI only now. If you don't it won't actually remove the static route when WAN1 goes down(unless the actual physical link breaks to bring the interface down)

 

You only need to configure one to monitor WAN1, since if WAN2 goes down it doesn't effect anything as everything is going WAN1 anyways.

 

config sys link-monitor

edit 1

set server 8.8.8.8 (or whatever you want to ping to determine failure)

set srcintf wan1

set update-cascade-interface disable

end

 

 

Also, don't forget the rules to allow traffic out WAN2

You can use SD-WAN to perform Backup easily.

Consider putting all interfaces in the SD-WAN one. Then create 2 SD-WAN Rules.

First rule with Primary interface as Member.

Second rule with Second interface as Member.

 

SD-WAN is more visual and powerful that policy based routing, link monitor, and can achieve more complex scenario based on Availability of remote service, or SLA. Instead of relying on next step interface status.

 

You could write for example following with SD-WAN Rules:

Network A -> Use Primary link LINK1 / Use Backup link LINK2

Network B -> Use Primary link LINK2 / Use Backup link LINK1

Network C -> load-balance through LINK1 & LINK2

 

Even if you intention today is only to perform Backup, because of cost or instability of the Backup link, consider usiong the SD-WAN, for future date when you would decide to change your uplink strategy. No change will be necessary to the configuration being ready to work. If binding tens of policies or features to a physical interface stick the configuration to a physical model, harder to change later.

 

My contribution.

Can anyone provide an update concerning the objective that the original post author described. We have a small office with a fiber connection on WAN1 and a cellular hot spot connection on WAN2. If it is feasible to accomplish this objective with SD-WAN it would later ally us to replace the cellular connection with something else with less firewall reconfiguration needed. Also, is there a way to send a notification if either WAN1 or WAN2 goes down do that we can begin troubleshooting the WAN outage right away?

Forgot to mention, currently using FortiOS 6.0.9.

hm I am running into the same issue more a less:

 

I have two or three internetlinks that should be used for load balancing

plus a cellular one that should only be used as fallback when all others are down.

 

I now did this test on a FGT running 6.2.4

[ul]

enable sdwan

configure all three wan links and add them to sdwan

configure performance sla (health check)

set up implicent sdwan rule

set up a new sdwn rule for some network on fmg to go to internet via isp 1+2 with bandwith maximization

set up a new sdwan rule for the same network to go to internet via cellular only (set to manual and specific interface)

set performance sla to not update default route

set a static default route to sdwan[/ul]

I then plugged in a client to a port that is in the subnet to match the sdwan rules and gave it an ip (mandatory ;) ).

Then I looked at the external ip it went out to the internet. It was isp1 or isp2 wan ip. Correct so far.

So it matched rule #1 and went over the loadbalancer with isp1 and 2. Fine so far.

Now I unplugged isp1 and 2 - so all are down except the cellular one.

Performance sda confirms that to me.

Looking at the wan ip on my client again shows it now went out over the cellular link (Fallback). Fine too.

I plugged isp1 and 2 back in then and after some seconds (maybe delayed by browser cache) I could see it was going out to the internet over isp1 or 2 again. Fine.

 

Just I am not sure if that is authentic with only one client. Plus we do not have 6.2 on our other FGT...