Skip to main content
osaleem2_10
osaleem2_10
Explorer III
September 8, 2025
Solved

FortiSDWAN with one wan internet and multi MPLS

  • September 8, 2025
  • 4 replies
  • 832 views

Hi,

 

I have a new deployment for FortiGate as an edge firewall. The latency design involved DC FW acting as both DC and Edge. Now I will implement Fortigate as Edge and do point-to-point with DC FW.

 

The Q is. I do have:

- one Internet link with 2 IPSec over the Internet link.

- 2 MPLS links. One to Cloud servers with paloalto fw, second for my 10 Fortinet branches.

 

For the internet, I will have only 1 link. And over that will build 2 IPsec (One to be a Load balance SDWAN with MPLS to my branches, Second to be a passive link with MPLS to my cloud service).

 

What is the best practice to build that topology? Should I add all three 3 WAN interfaces under the SD-WAN Zone, and with that ZONE create 2 IPSec? Or I have to keep the 3 WAN interfaces without SDWAN zone as normal WAN interfaces, as there is no Load balancing except the connection with branches. Then create SDWAN for IPsec.

 

Kindly for advice for the best practice solution.

Screenshot 2025-09-09 005927.png

Best answer by Jean-Philippe_P

Hello again osaleem2_10,

 

I found this solution. Can you tell us if it helps, please?

 

To design the best practice topology for your FortiGate deployment as an edge firewall, consider the following steps:

 

  1. SD-WAN Configuration: Add all three WAN interfaces (Internet link and two MPLS links) to the SD-WAN zone. This allows you to leverage SD-WAN features such as intelligent traffic steering, load balancing, and failover.

  2. IPsec Tunnel Setup:
    - Create two IPsec tunnels over the Internet link:
    - One tunnel for load balancing with MPLS to your branches.
    - A second tunnel as a passive link with MPLS to your cloud service.

  3. Traffic Steering and Load Balancing:
    - Use SD-WAN rules to define how traffic should be distributed across the available links. For example, prioritize the MPLS link for branch traffic and use the Internet link as a backup.
    - Configure load balancing for the IPsec tunnel to branches, ensuring optimal use of available bandwidth.

  4. Redundancy and Failover: Ensure that your SD-WAN configuration includes failover policies to switch traffic to the passive link in case of primary link failure.

  5. Monitoring and Performance: Implement performance health checks on SD-WAN member links to monitor link quality and ensure optimal performance.

 

By integrating all WAN interfaces into the SD-WAN zone, you can take full advantage of FortiGate's SD-WAN capabilities, providing flexibility and resilience in your network design.

4 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 11, 2025

Hello osaleem2_10, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
    tokalno5
    tokalno5
    New Member
    September 11, 2025

    Fortinet's SDWAN is not good, companies like Fortinet and Palo alto etc. Have completely ruined the term SDWAN. Automating tunnel creation and pinging across them is not SDWAN. You could already do that from the beginning of time. If that's all you need sure, but to me that ain't SDWAN.

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    September 12, 2025

    Hello,

     

    We are still looking for an answer to your question.

     

    We will come back to you ASAP.

     

    Thanks,

    Jean-Philippe - Fortinet Community Team
    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_PAnswer
    Staff & Editor
    September 15, 2025

    Hello again osaleem2_10,

     

    I found this solution. Can you tell us if it helps, please?

     

    To design the best practice topology for your FortiGate deployment as an edge firewall, consider the following steps:

     

    1. SD-WAN Configuration: Add all three WAN interfaces (Internet link and two MPLS links) to the SD-WAN zone. This allows you to leverage SD-WAN features such as intelligent traffic steering, load balancing, and failover.

    2. IPsec Tunnel Setup:
      - Create two IPsec tunnels over the Internet link:
      - One tunnel for load balancing with MPLS to your branches.
      - A second tunnel as a passive link with MPLS to your cloud service.

    3. Traffic Steering and Load Balancing:
      - Use SD-WAN rules to define how traffic should be distributed across the available links. For example, prioritize the MPLS link for branch traffic and use the Internet link as a backup.
      - Configure load balancing for the IPsec tunnel to branches, ensuring optimal use of available bandwidth.

    4. Redundancy and Failover: Ensure that your SD-WAN configuration includes failover policies to switch traffic to the passive link in case of primary link failure.

    5. Monitoring and Performance: Implement performance health checks on SD-WAN member links to monitor link quality and ensure optimal performance.

     

    By integrating all WAN interfaces into the SD-WAN zone, you can take full advantage of FortiGate's SD-WAN capabilities, providing flexibility and resilience in your network design.

    Jean-Philippe - Fortinet Community Team
    Terms & ConditionsAccessibility statement