New Member

Question

Branch fortigate setup advice needed

Forum|Forum|3 years ago
November 14, 2022
11 replies
7973 views

Hi,

I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:

1.branch internet is routed back thru HQ fortigate

2.access from internet like wan management and SSL VPN on branch should be possible

3.access to other lan subnets on branch side should be accessible.

Now my concerns:

1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 172.50.1.0/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.

2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.

How could I resolve this issues?

FortiGate

aahmadzada

Staff

Hi @Tutek , SDWAN rules will help to properly route the traffic.

All you need is to properly configure the SDWAN rules.

I would go in this way:

1. Traffic traversing the Fortigate destined for the HQ and Internet to be routed via SDWAN rules towards the HQ via IPSEC tunnels.

2. management access to Branch FGT and sslvpn via static default routes.

Ahmad

TutekAuthor

New Member

Hi,

in point 1 you have to configure rule with local subnet 172.50.1.0/24 and destination 0.0.0.0/0 (internet), how then users from this local subnet will access to other local subnet 172.50.2.0/24 ? - this will not work

gfleming

Staff

More specific routes take precedence. 172.50.2.0/24 is a more specific route than 0.0.0.0/0 so it will be chosen first. Any traffic that doesn't match any other specific routes will be sent to the default gateway. This is basic network routing.

distillednetwork

Explorer II

I would set the interface mode on the IPSEC with BGP personally. If you want to do static routes you can. Any connected interfaces will have priority in the route table over a static route so SSL-VPN will not be an issue. If want direct access into the fortigate from the wan but not have clients go out that same wan, then when you create the default route for the WAN port, set the distance the same as the route to the VPN tunnel but have a priority value on the route higher. This will allow it to be in the route table (to accept incoming connections) but will send data out the other wan port.

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-and/ta-p/198221

TutekAuthor

New Member

I'm trying to configure router in your way, first created two ipsec tunnels and added as sd-wan members "Centrala" but this is impossible to set priority to routes with destination 0.0.0.0/0 it always automatically set 1. So I have static route to ipsec SD-WAN zone with priority 1, and static route to virtual-wan-link priority 1.

distillednetwork

Explorer II

The priorities would be if you are not using SD-WAN. If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic. If you never want internet traffic to go out the virtual-wan-link ports then you can adjust the interface cost under the SD-WAN zone/interface configuration.

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/328009/interface-cost

TutekAuthor

New Member

ok, so in Network-->Static Routes I wiped everything.

on SD-WAN zone I have changed wan1 and wan2 links cost to be higher that two ipsec interfaces in zone "Centrala" :

Now created sd-wan rules, one from local to any ( HQ Internet) with Zone preference "Centrala". And another one to access fortigate to local wan links, so source all an destination all, with zone preference virtual-wan-link.

The results are that earlier I could ping and access to wan2 interface now i can't.

distillednetwork

Explorer II

you still need the 0.0.0.0/0 routes with the SDWAN zones in the route table.

If you are looking for user traffic to only use the Centrala SDWAN zone, then you don't need sdwan rule 2. Local Out traffic (traffic generated by the Fortigate, ie logs, fortiguard, authrequests, etc) have settings to use either SDWAN rules or specify interfaces as well. This article talks about the Functionality of set interface-select method:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Functionality-of-set-interface-select-method-for/ta-p/196731

TutekAuthor

New Member

So if sd-wan rules (policy rules) have higher precedence overs static, then why having this second config at sd-wan:

at the same time having empty static routes, it didn't work (i.e. I lost access to wan interfaces)?

distillednetwork

Explorer II

Rule 2 in that screen shot would not be necessary unless you had other subnets not defined in the "lan address" object that needed access to the internet

TutekAuthor

New Member

I just can't understand why this one sd-wan rule that was configured:

source (all) destination (all) go to wan1, wan2

didn't work - I lost access to the router on wan interfaces.
As soon as I added the static route in Network-->Static Routes:
destination 0.0.0.0/0 ---> gateway virtual-wan-link (wan1, wan2) then immediately wan access started working. After all, as you say sd-wan rules are more important than static rutes.

distillednetwork

Explorer II

Like I mentioned though, SDWAN rules only apply to forward traffic on the network. Any Local traffic on the fortigate (Management, DNS, Fortiguard, etc) is not handled in the same manner since it is self-originating and not forwarded through the device.

TutekAuthor

New Member

How should I configure at central fortigate sd-wan rules for internet traffic going back to branch lan?

Do I need create sd-wan rule something like:

Source: 0.0.0.0/0 destination 172.50.1.0/24 using interfaces from sd-wan zone. Or just should I configure static route with destination branch lan 172.50.1.0/24 with gateway sd-wan zone?

Cannot find aby document with configuration branch nad hq when using remote internet access like in my scenario.

TutekAuthor

New Member

I read this document. I don't use in my network dynamic routing protocols I have only couple subnets that never change, I don't need bgp. Is there any cookbook document to configure sd-wan with RIA and with static routing? I coudn't find it.

gfleming

Staff

If there are two VPN tunnels (because you have two WAN links) between central FG and remote Branches then you will need to use BGP so that it can choose the one that was used for the inbound connection. If you do not want to run BGP then central FG will just use the route in your routing table that is preferred to send traffic back to branch.

TutekAuthor

New Member

But I understand concepts of routing, and if I do not have ospf, gbp, rip I have to configure static routes. I am not forced to use dynamic protocols with multi-wan setup like mine, after all, this is what sd-wan was created for.

My question is simple, where and how to configure this route, my problem is understanding when to use sd-wan rules and when static routes to control traffic that passing two ipsec tunnels (sd-wan zone).

On branch I have now sd-wan rule:

1. source local lan (172.50.1.0/24), destination central lan (172.10.1.0/24) goto manual selection ipsec1, ipsec2

2. source local lan (172.50.1.0/24), destination everything-internet (0.0.0.0/0) goto manual selection ipsec2, ipsec1

On static routes I have only one route: destination 0.0.0.0/0 gateway virtual-wan-link (wan1, wan2)

Now on Central (HQ) fortigate, in sd-wan rules I have:

1.local lan 172.10.1.0/24, destination branch lan (172.50.1.0/24) go to manual selection ipsec1, ipsec 2

On static routes I have only 0.0.0.0/0 using virtual-wan-link (wan1, wan2)

And this is my question, where configure now routing for internet that going back to branch, do I need add second sd-wan rule like: source 0.0.0.0/0 --> destination branch lan, use sd-wan zone (ipsec1, ipsec2) or configure system static route like:

destination branch lan -->gateway sd-wan zone (ipsec1, ipsec2)

gfleming

Staff

Your question is simple but the answer, unfortunately is not. What is the behaviour you want? Do you want the return traffic going back to branch to choose the same ipsec tunnel that it came in on? Or do you want the traffic to go over whatever ipsec tunnel that the central fortigate thinks is best?

Also confirm what version of FOS you are on?

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded