If we want to configure the firewall for when an internet connection goes down, it automatically goes out with another and the users “almost” do not realize it you have to follow the steps of this procedure. It is applicable to any Fortigate, Logically, what you have to have is two connections from different suppliers in the organization, for example, we can have Timofonica on the WAN1 and Güanadú on the WAN2, in case the Timofonica connection drops (something quite frequent) that the connection we have with Güanadú be lifted.

It is normal to have both WANs configured, WAN1 with an IP, and the other WAN with another IP.

If you haven't, You have to create a static route of less weight so that you are clear about which connection you are going to go out to the Internet and in case it fails, which one you should lift, Well, to create this path > “Router” > “Static” > “Create New”. We see that the one I have (x default) has the Distance to 10,

When creating the static route for WAN2 (that is not created x defect), we must put in place “Device” “WAN2” and in “Gateway” as the gateway of this connection, which is the one that our WAN provider gives us (in this case Güanadú), and in “Distance” we put a higher value than the other route had, for example we put this one 20 so it's not the preferred connection, Click on “OK” to save your changes.

Vale, Now we're going to set up what are called the “Ping Servers”, this is something as simple as the firewall going to make simple PINGs to an IP address, and as soon as it stops responding it will understand that WAN1 is down and will have to lift WAN2, for this, we first edit WAN1 from .

We put a public IP address into “Ping Server” and enable it by checking the “Enable”, I put for example an IP of www.google.com (216.239.59.104), if we put a public one that we know will ALWAYS be perfect online. We give “OK” to save your changes.

GOOD, now we will do the same with the WAN2, we edit it .

And we put the Ping Server and enable it. We give “OK” To save.

Now we will create a rule to allow that in the event that the internet connection of WAN1 goes out through WAN2, for this, We're going to “Firewall” > “Policy” and click on “Create New”.

We configure it as we see fit, The normal thing is: “Source Interface” > “INTERNAL” and “Destination Interface” > “WAN2”, we do NAT if we are interested by checking and “OK” to save your changes.

We check that we already have the rules, both to leave from the INTERNAL to the WAN1 (comes by default) and the one we have just created from INTERNAL to WAN2. The normal thing is that if we have services that we have redirected inwards, for example a web server, We will have a rule that everything that comes from the port 80 by WAN1 is sent to this web server; what we would have to do is create one like it, in case this WAN1 falls that everything that comes to the port 80 of the WAN2 to be sent to the same web server. And the same with any service, for example, if we have a mail server inside, in the registry of our public domain we will create a second MX with a lower priority than the one we are supposed to have to the IP of WAN2.

And well, from the console in “Router” > “Monitor”, we will see what connection we are leaving at any given moment, also logically entering into www.whatismyip.com, we can see which public IP we are dating, and that would be associated with WAN1 or WAN2.