wan load balancing

• Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the tunnels, we would want to failover the traffic to the second tunnel.
• This is done by using “gwdetect” in fortigate.
• The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will remove the static route from the routing table, and the second route in the table will become active.

This can be done only using the CLI

• The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be the inside IP address of the virtual private gateway.
• This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 1
        set interface "vpn-0fdf41f0d96efff36-1"
        set server "169.254.45.37"

• Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds between pings.
• Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end