Skip to main content
gorapr
gorapr
New Member
September 30, 2025
Question

Advice for IPSec

  • September 30, 2025
  • 2 replies
  • 394 views

Good day everyone,
I’m planning to deploy a hub-and-spoke IPsec VPN design, where the HQ uses a FortiGate 100F as the central security gateway, and branches use regular routers (not FortiGate).

Objective: All branch traffic should pass through HQ (full tunnel) for inspection and centralized security.
Challenge: With full tunneling, HQ bandwidth will become a bottleneck and could be heavily overloaded.

My questions:

What are the best practices to keep HQ as the main security hub without hairpinning all branch internet traffic?

Does FortiGate support any selective/split-tunnel policy in this scenario, even if the branch device is a non-FortiGate router?

Are there recommended design options so that sensitive/critical traffic is still inspected at HQ, while general internet traffic (updates, streaming, etc.) can break out locally at the branch?

2 replies

sjoshi
Staff
sjoshi
Staff
September 30, 2025

Hi @gorapr ,

 

Are you setting up site to site vpn or the dial up vpn.

If you do not want to divert all the internet traffic towards the HUB then you can define specific static route for certain destination on the spoke to sent those traffic towards the HUB and apply security profile towards those destination.

 

Individual hub will also have feature to apply security profile towards the internet traffic.

Thanks, Salon
GeorgeZhong
Staff & Editor
GeorgeZhong
Staff & Editor
September 30, 2025

Hi @gorapr ,

The branch should determine what type of traffic should be forwarded to the Hub by routing or policy routing. The IPsec split tunneling normally only applies to the Dialup IPsec connection initiated from the FortiClient . 

 

Regards,

George

Terms & ConditionsAccessibility statement