WAN link load balancing

WAN link load balancing

In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons.

1. Reduce the places in the work flow where a single point of failure can bring the process to a halt.

2. Expand the capacity of the resources to handle the required workload.

3. Have it configured so that the process of balancing the workload is automatic.

Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources.

There is now a WAN Load Balancing feature located in the Network section of the GUI (“WAN LLB”).

As part of the new WAN Load Balancing feature, the FortiOS 5.2 Router > Static > Settings GUI page has been removed. WAN Load Balancing should be used instead of the 5.2 ECMP Load Balancing Method settings. The 5.2 Link Health Monitor definitions are now only available from the CLI.

WAN links

The basis for the configuration of the virtual WAN link are the interfaces that comprise it. As interfaces are added to the “wan-load-balance” interface, they are added into the calculations that comprise the various algorithms used to do the load balancing.

  • While most of the load balancing algorithms are based on equal distribution or weighted distribution, spill over does rely on which interface is first in the sequence, so this should be kept in mind when adding the interfaces.
  • The interfaces in the virtual WAN link can be disabled if necessary if work needs to be done on an interface without interfering with the performance of the link.
  • There is no requirement that the interfaces be those labeled on the hardware as WAN interfaces.
  • In the GUI, to help analysis the effectiveness of the algorithm being used and its configuration, there is a graphic representation of the bandwidth usage of the link.

Load balancing algorithm

Once the interfaces involved has been configured the next step is to determine how the workload will be distributed. 5 load balancing algorithms are available to choose from.


This is a very straight forward method of distributing the work load based on the amount of packets going through the interfaces. An integer value assigns a weight to each interface. These weights are used to calculate a percentage of the total bandwidth that is directed to the interface.


  • There are 2 interfaces
  • Interface #1 is assigned a weight of 5 because it is a 5 MB connection. (There is no requirement to match the weight to the capacity of the connection. It is just a simple way of optimizing the differing capacities in this case.)
  • Interface #2 is assigned a weight of 3 because it is a 3 MB connection.
  • The total weight is 8 so interface #1 gets 5/8 (63%) and interface #2 gets 3/8 (38%) of the traffic.

Wan Link Load Balancing Algorithm


The session algorithm is similar to the bandwidth algorithm in that it also uses an integer value to assign a weight to each interface. The difference is that the number of sessions connected is what is being measured and not the packets flowing through the interfaces.

WAN Link Load Balancing Spillover


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

7 thoughts on “WAN link load balancing

  1. Facing issue with WAN LLB , 3 ILL links are combined to Virtual WAN interface & algorithm is “Source IP” based, but only 1 link gets choked & rest 2 are only consumed only around 30-40%.

    • I prefer to use bandwidth on mine for LLB. Using source it is possible that you coincidentally just have all of the big hitters going through the same pipe.

  2. i am having issue with mine (2 isp), when i connect to other fortigate outside the office i get disconnected because it uses the 2nd internet connection and the destination fortigate disconnects me.
    It seems to happend with other things also.

    • In situations where you use WLLB and you are dealing with something that is smart enough to know that your IP (or the source in general) is switching up it will be beneficial to use routes. For instance, when I have WLLB enabled I set static /32 routes for the destinations that I know need to stay on a single connection (like a FortiGate I’m trying to administer remotely etc) to go out a specific pipe.

      Otherwise, you will constantly get booted out of the device you are trying to manage which is quite annoying.

  3. i havent tested/read about it yet, but lets say you have a policy route that uses wan1 for X reason, will it use wan2 in case the wan1 is down?

    • You would make two static routes (regular static routes like you do your default gateway routes….no policy route) that have the same destination (the remote device or service that requires the connection to stay on one WAN connection and not bounce between the two) the routes will be identical except the destination interface and gateway address will be different. The one you wish to be your primary you just make it have a lower administrative distance so that it takes precedence and if that connection fails the other route will take over.

  4. ok, nice, thanks alot

Leave a Reply

Name *
Email *