FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

WAN link load balancing

In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons.

  1. Reduce the places in the work flow where a single point of failure can bring the process to a halt.
  2. Expand the capacity of the resources to handle the required workload.
  3. Have it configured so that the process of balancing the workload is automatic.

Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources.

There is now a WAN Load Balancing feature located in the Network section of the GUI ("WAN LLB").

note icon As part of the new WAN Load Balancing feature, the FortiOS 5.2 Router > Static > Settings GUI page has been removed. WAN Load Balancing should be used instead of the 5.2 ECMP Load Balancing Method settings. The 5.2 Link Health Monitor definitions are now only available from the CLI.

WAN links

The basis for the configuration of the virtual WAN link are the interfaces that comprise it. As interfaces are added to the "wan-load-balance" interface, they are added into the calculations that comprise the various algorithms used to do the load balancing.

  • While most of the load balancing algorithms are based on equal distribution or weighted distribution, spill over does rely on which interface is first in the sequence, so this should be kept in mind when adding the interfaces.
  • The interfaces in the virtual WAN link can be disabled if necessary if work needs to be done on an interface without interfering with the performance of the link.
  • There is no requirement that the interfaces be those labeled on the hardware as WAN interfaces.
  • In the GUI, to help analysis the effectiveness of the algorithm being used and its configuration, there is a graphic representation of the bandwidth usage of the link.

Load balancing algorithm

Once the interfaces involved has been configured the next step is to determine how the workload will be distributed. 5 load balancing algorithms are available to choose from.


This is a very straight forward method of distributing the work load based on the amount of packets going through the interfaces. An integer value assigns a weight to each interface. These weights are used to calculate a percentage of the total bandwidth that is directed to the interface.

  • There are 2 interfaces
  • Interface #1 is assigned a weight of 5 because it is a 5 MB connection. (There is no requirement to match the weight to the capacity of the connection. It is just a simple way of optimizing the differing capacities in this case.)
  • Interface #2 is assigned a weight of 3 because it is a 3 MB connection.
  • The total weight is 8 so interface #1 gets 5/8 (63%) and interface #2 gets 3/8 (38%) of the traffic.


The session algorithm is similar to the bandwidth algorithm in that it also uses an integer value to assign a weight to each interface. The difference is that the number of sessions connected is what is being measured and not the packets flowing through the interfaces.


Spillover is a method where a threshold is set for an interface (in kbps) and if the amount of traffic bandwidth exceeds the threshold any traffic bandwidth beyond that threshold is sent out through another interface.

It might be simple to just consider the outgoing or egress traffic when determining a threshold but two facts must be taken into consideration.

  1. A simple request going out the interface can be responded to with significantly more data coming back from the other direction.
  2. Internet connections come in a variety of configurations, many of which have different levels of allowed bandwidth capacity between the upload and download directions.

For these reasons, the FortiGate allows for the setting of both egress and ingress thresholds for bandwidth.

Source-destination IP

The source-destination IP algorithm tries to equally divide the traffic between the interfaces included in the virtual WAN interface. It used the connection criteria of the source and destination IP address combinations as a way of sorting the traffic.

  • to gets sent out one interface
  • Subsequent traffic going from to would also go out that same interface
  • The next session to connect through the WAN could be either:
  • going to
  • going to

Either one of the connections in the next session, even though they might match the source or the destination IP address do not match both. Traffic with the next unique combination of source and destination IP address would be sent out the other interface. It would go back and forth like this as new traffic and combinations comes in.


Source IP

The source IP address works just the same as the source-destination IP algorithm but it only concerns itself with the source IP address of the connection.

caution icon Avoid using WAN LLB in combination with asymmetric routing. Using the Bandwidth (GUI) or measure-based (CLI) load balancing algorithms can cause the routing-information (outgoing-interface) for sessions created in asymmetric routing to change in mid-session. Session-level persistence of the connection is needed to make WAN LLB effectively.

Priority rules

Some traffic requires that it come from a consistent or specific IP address to be processed properly. Because the different WAN interfaces will have different IP addresses there needs to be a way to override the unpredictability of the load balancing algorithms. This is done by using priority rules

Packets can be checked prior to being assigned an interface by the algorithm. If certain source and/or destination criteria matches the priority rules, the packets can be assigned to an outgoing interface as determined by the rule.

Priority rules can be configured under Network > WAN LLB Rules.

The source criteria that can be checked are:

  • Source address
  • User Group

The destination criteria that can be checked are:

  • Whether it’s address-based
  • Destination address
  • Protocol number
  • Whether it’s cloud application-based
  • The cloud application

Cloud applications

Cloud applications are a new object that can be used and configured on a FortiGate. There are a limited number of places that they can be used as a means of directing traffic and Virtual WAN links are one of them.

Estimated Bandwidth

An optional parameter has been added that allows users to set the estimated uplink and downlink bandwidths of a WAN interface.This setting is available in the GUI and the CLI. It's availability in the GUI is dependent on context. To see the setting when editing the interface, the role of the interface must be set to WAN.

The range of the setting is from 0 to 4294967295 (effectively 2 32). The value is in Kbps.

In the CLI, the fields can be set by using the following syntax:

config system interface

edit <wan interface>

set estimated-upstream-bandwidth <integer from 0 - 4294967295>

set estimated-downstream-bandwidth <integer from 0 - 4294967295>



The purpose for these settings is to work with monitoring software such as MRTG (Multi Router Traffic Grapher) to compare the estimated and real bandwith usage.This is not connected to threshold settings.

Status checking or health checking

For load balancing to be effective, there needs to be a constant monitoring of the health and status of the links that make up the virtual WAN link. Customized status checks can be configured to check on health of various aspects the traffic flow going through the link. Using either ICMP packets (PING) or HTTP requests to a designated server. Once the health reaches a specified threshold, the interface can be automatically removed from the virtual WAN link so that the algorithm is not sending traffic to a failed interface and bring down communications for a portion of the FortiGate's clientele.

To configure status or health checking go to Network > WAN Status Check and add status check profiles.

You can also configure status and health checking from the CLI. The CLI includes additional options for setting latency, jitter, and pack loss thresholds.

config system virtual-wan-link

set fail-detect [enable | disable]

set fail-alert-interfaces (available only if fail-detect is enabled)

config health-check

edit [Health check name]

set server <string>

set protocol [ping | tcp-echo | udp-echo | http | twamp]

Some of the protocol options cause additional settings are made available.


set port

set http-get

set http-match


set port

set security-mode[none | authentication]

The security-mode setting authentication generates yet another potential setting, password.

set password

set packet-size

The next settings are available for all protocols

set interval <integer>

set timeout <integer>

set failtime [1 - 10]

set recoverytime [1 - 10]

set update-cascade-interface [enable | disable]

set update-static-route [enable | disable]

set threshold-warning-latency <integer 0-4294967295>

set threshold-alert-latency <integer 0-4294967295>

set threshold-warning-jitter <integer 0-4294967295>

set threshold-alert-jitter <integer 0-4294967295>

set threshold-warning-packetloss <integer 0-4294967295>

set threshold-alert-packetloss <integer 0-4294967295>




Virtual-WAN-link improvements (365702)

Some new features have been incorporated into Virtual WAN Link to address the performance issues.

  • The Virtual WAN link daemon only recalculates those services that have changed link quality.
  • Removal of abnormal latency data.
  • A link quality threshold has been added to prevent frequently route generation due to a small quality changes.
  • Service ID field has been added
  • A disable option is available for a service.
  • Services in the CMDB are able to move and the order of policy routes in the kernel is based on the sequences of services in the CMDB.
Syntax for configuring a service ID

config system virtual-wan-link

config service

edit <service name>

set id <integer between 0 - 255>


Syntax for configuring the percentage threshold of change of link cost values that will result in a policy route generation

config system virtual-wan-link

config service

edit <service name>

set link-cost-threshold <integer between 0 - 100000000>


The default threshold is 10

Syntax for enabling | disabling a service

config system virtual-wan-link

config service

edit <service name>

set status [enable | disable]