You may need two different sets of LAN -> SD-WAN policies (Policy & Objects -> IPv4 Policy). One for the underlay WAN links with NAT and two (VPN in and VPN out) for the overlay VPN tunnels going to an internal address range without NAT.
-------------------------------------------
Original Message:
Sent: 12-30-2019 17:39
From: Chris Sieber
Subject: SDWAN and internet breakout
Did this ever work for you? I am building out Internet Breakout as well now, and have tried Peter's suggestions but still must be missing something. Also, I assume you are making this work with NAT on the policy as well?
Original Message:
Sent: 08-07-2019 03:49
From: Sean Cunneen
Subject: SDWAN and internet breakout
Thanks Peter, I think that makes sense. I will give it a go.
Original Message:
Sent: 08-06-2019 17:52
From: Peter Chen
Subject: SDWAN and internet breakout
Hi Sean,
Like with anything else on the FortiGate there are various ways to accomplish this.
However, if you want the local breakout traffic to leverage the SD-WAN controller, I suggest adding the parent physical interfaces of those two IPSEC tunnels (for example WAN1 & WAN2) as SD-WAN members. Next, create Performance SLAs to reachable targets on the Internet with these two interfaces as participating members. Finally, create explicit SD-WAN rules with those two interfaces as part of the rule. Hope this helps.
Original Message:
Sent: 08-06-2019 10:44
From: Sean Cunneen
Subject: SDWAN and internet breakout
I have two direct internet connections provisioned for a branch site. I have configured the SDWAN using IPSEC tunnels to link the branch back to the HQ. Currently all internet traffic is routed via HQ over the SDWAN interface.
Is it possible to allow local internet breakout without adding additional links? And where is this configured? I can't find this scenario in the cookbook.
Cheers
