Skip to main content
3x-t
3x-t
Explorer
November 24, 2021
Solved

ADVPN - Split Tunnel

  • November 24, 2021
  • 1 reply
  • 6121 views

Sorry, probably this is a dummy question...

Obviously, I'm not so good with ADVPN and I also just started learning FortiGate as I got my first FortiGate and trying to build some network.
I'm not sure if it's possible and how to make split tunneling on my FortiGate. Our HQ doesn't have that good internet connection and I wouldn't like it that we have more troubles when we add all planned BO. For easier configuration, we chose to use ADVPN with BGP.
Btw. We have two BO with a second WAN that uses LTE (no public IP) and at the moment that BO has configuration on some Cisco routers to combine two WANs for better connectivity.

Thank you!

Best answer by pciurea

Hello 3x-t

Welcome to this community. 

I want to let you know that from my point of view there are no dummy questions, not even dummy answers . I will try my best to not give you a dummy answer :).

 ADVPN would be defined by 2 main purposes:

1. achieving full mesh between the spokes

2.taking the throughput load off the hub by establishing spoke to spoke shortcut tunnels.

 

Lets talk about Split tunneling

Split tunneling by its purpose, beside the P2 selectors, would also add specific routes in the routing table (to steer specific traffic)- this is rendered useful in combination with ADVPN as routes need to be dynamically changed when a shortcut tunnel goes up.

As you already chosen the best path - BGP, BGP will be your Angel in the routing decision - will install routes in the routing table and dynamically change the outgoing interface in the routing table based on the next-hop reachability (either through the hub if no shortcut is created, either through the shortcut tunnel - this is a direct tunnel to the remote side).

 

There is a great Tech Tip that can help you understand the works behind this ADVPN - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698 - Make sure you download the pdfs attached to this Technical TIP

 

Hope ive been helpful

Regards

1 reply

pciurea
Staff & Editor
pciureaAnswer
Staff & Editor
November 24, 2021

Hello 3x-t

Welcome to this community. 

I want to let you know that from my point of view there are no dummy questions, not even dummy answers . I will try my best to not give you a dummy answer :).

 ADVPN would be defined by 2 main purposes:

1. achieving full mesh between the spokes

2.taking the throughput load off the hub by establishing spoke to spoke shortcut tunnels.

 

Lets talk about Split tunneling

Split tunneling by its purpose, beside the P2 selectors, would also add specific routes in the routing table (to steer specific traffic)- this is rendered useful in combination with ADVPN as routes need to be dynamically changed when a shortcut tunnel goes up.

As you already chosen the best path - BGP, BGP will be your Angel in the routing decision - will install routes in the routing table and dynamically change the outgoing interface in the routing table based on the next-hop reachability (either through the hub if no shortcut is created, either through the shortcut tunnel - this is a direct tunnel to the remote side).

 

There is a great Tech Tip that can help you understand the works behind this ADVPN - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698 - Make sure you download the pdfs attached to this Technical TIP

 

Hope ive been helpful

Regards

    3x-t
    3x-tAuthor
    Explorer
    November 24, 2021

    Thank you so much for your help!

    Since all our BO are in the same city, I will try to get approval for upgrading our internet connection on one other BO where I can create seconds HUB.

    So far all I can say is that FortiGate is great! Every day I learn something new, documentation is great, youtube videos...
    My colleagues are working on a Windows domain controller to bring it up and we will start deploying our network. After that, I'm starting with VM FortiManager, SD-WAN, etc.
    I'm a little bit scared of SD-WAN... still very new for me.

    Terms & ConditionsAccessibility statement