Skip to main content
Westley_Kelley
Westley_Kelley
New Member
September 2, 2019
Question

Business Continuity Plans - Assistance/Best Practice Ideas

  • September 2, 2019
  • 1 reply
  • 2210 views

Hey guys

 

I am hoping for some assistance/advise on Best Practice. We are currently running 2 x Fortigate Appliances One in HQ (200e) and one in Branch Office (300e). (Bigger in Branch office as we use it to deliver Internet services to Tenants)  Both have Internet Breakout (1GB) and we also have a (1GB) P2P connection between both sites.  I am looking to achieve the following: 

 

Internal Traffic between Branch and HQ to flow via the P2P. IF P2P goes down then traffic to flow via a VPN

All Internet Traffic breakout locally however for business continuity I would like to push the Internet Traffic down the P2P link and break out and relevant office. i.e if HQ Internet goes down route it via P2P and break out and Branch Office. 

 

The Firewalls are in place and running as is but dont have the fail over configuration in place. I have had a brief look at SD WAN but am unsure if this is the right way to go. From what I understand if I were to go down SD-WAN I would need to remove current policies on interfaces before I can add them to the SD-WAN. 

 

Another option I have investigated but not had much success is using 2 Routes and using system monitor to enable route after checks. 

 

Any advice would be much appreciated. 

 

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 2, 2019

    There are basically three options. 1) SD-WAN, 2) Static routes with priority + linkmonitor, 3) Dynamic routing protocols.

    You're right about the concern to go to SD-WAN. Besides, to me it's not flexible to accommodate multiple domains to balance/failover, like split internet and VPN traffic as SD-WAN1, 2, ... (similar to VRRP1, 2, ...).

    If you want to stick to static routes, you can do that with priority. Use default priority (0) for the p2p route and set higher number, like 10, priority on the VPN route. Then set linkmonitor through the p2p so that the main static route would be removed when it goes down.

    Dynamic routeing option is what we regularly do because we're multi-vendor environment and routing protocols are generally compatible throughout all routing devices. But it requires experience.

    Terms & ConditionsAccessibility statement