How to setting manage all internet access through HQ site

hi,

two steps on each branch FGT (FAC1-4):

1- set a static route to the public IP of HQ pointing to the WAN port ("wan1", gateway=ISP router). Use a host route, for example "91.66.43.124/32".

2- set the static default route "0.0.0.0/0" pointing to the tunnel interface (no gateway), not to WAN anymore.

The first route will ensure that the branch FGT can establish the VPN tunnel. The second route directs all traffic to the HQ FGT.

On the HQ FGT:

3- create one or more policies to allow branch traffic to the internet (tunnel to WAN, subnet_FAC1 to all). Enable NAT on these!

Just don't forget to adjust the phase2 network selectors appropreately like [0/0<->local subnets] or back to the default [0/0<->0/0] if you have configured specific ones already.

Hello hmtung

I'm having the same problem, I have several branches with 50E fortigate and in the HQ a 80E fortigate, I want branch internet traffic to go through the VPN tunnel and exit through the WAN of the HQ. Did you solve this problem?