Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

SeanCunn
New Contributor

Created on ‎08-06-2019 07:45 AM

SDWAN and internet breakout

I have two direct internet connections provisioned for a branch site. I have configured the SDWAN using IPSEC tunnels to link the branch back to the HQ. Currently all internet traffic is routed via HQ over the SDWAN interface.

Is it possible to allow local internet breakout without adding additional links? And where is this configured? I can't find this scenario in the cookbook.

Cheers
Labels:
1933
0 Kudos
9 REPLIES 9
PeteChen
Staff
Staff

Created on ‎08-06-2019 02:52 PM

Hi Sean,

Like with anything else on the FortiGate there are various ways to accomplish this.
However, if you want the local breakout traffic to leverage the SD-WAN controller, I suggest adding the parent physical interfaces of those two IPSEC tunnels (for example WAN1 & WAN2) as SD-WAN members. Next, create Performance SLAs to reachable targets on the Internet with these two interfaces as participating members. Finally, create explicit SD-WAN rules with those two interfaces as part of the rule. Hope this helps.
1870
0 Kudos
SeanCunn
New Contributor
In response to PeteChen

Created on ‎08-07-2019 12:50 AM

Thanks Peter, I think that makes sense. I will give it a go.
1870
0 Kudos
ChriSieb
New Contributor
In response to SeanCunn

Created on ‎12-30-2019 02:40 PM

Did this ever work for you? I am building out Internet Breakout as well now, and have tried Peter's suggestions but still must be missing something. Also, I assume you are making this work with NAT on the policy as well?
1870
0 Kudos
PeteChen
Staff
Staff
In response to ChriSieb

Created on ‎12-30-2019 03:34 PM

You may need two different sets of LAN -> SD-WAN policies (Policy & Objects -> IPv4 Policy). One for the underlay WAN links with NAT and two (VPN in and VPN out) for the overlay VPN tunnels going to an internal address range without NAT.

-------------------------------------------
Original Message:
Sent: 12-30-2019 17:39
From: Chris Sieber
Subject: SDWAN and internet breakout

Did this ever work for you? I am building out Internet Breakout as well now, and have tried Peter's suggestions but still must be missing something. Also, I assume you are making this work with NAT on the policy as well?

Original Message:
Sent: 08-07-2019 03:49
From: Sean Cunneen
Subject: SDWAN and internet breakout

Thanks Peter, I think that makes sense. I will give it a go.
Original Message:
Sent: 08-06-2019 17:52
From: Peter Chen
Subject: SDWAN and internet breakout

Hi Sean,

Like with anything else on the FortiGate there are various ways to accomplish this.
However, if you want the local breakout traffic to leverage the SD-WAN controller, I suggest adding the parent physical interfaces of those two IPSEC tunnels (for example WAN1 & WAN2) as SD-WAN members. Next, create Performance SLAs to reachable targets on the Internet with these two interfaces as participating members. Finally, create explicit SD-WAN rules with those two interfaces as part of the rule. Hope this helps.
Original Message:
Sent: 08-06-2019 10:44
From: Sean Cunneen
Subject: SDWAN and internet breakout

I have two direct internet connections provisioned for a branch site. I have configured the SDWAN using IPSEC tunnels to link the branch back to the HQ. Currently all internet traffic is routed via HQ over the SDWAN interface.

Is it possible to allow local internet breakout without adding additional links? And where is this configured? I can't find this scenario in the cookbook.

Cheers
1870
0 Kudos
ChriSieb
New Contributor
In response to PeteChen

Created on ‎12-30-2019 04:19 PM

Thanks Peter for the quick reply. I have separate IPV4 policy rules for SDWAN vs. local internet breakout. There is something basic missing here. I'll do some digging and update if I find anything.

 

Chris

 

 



------Original Message------

You may need two different sets of LAN -> SD-WAN policies (Policy & Objects -> IPv4 Policy). One for the underlay WAN links with NAT and two (VPN in and VPN out) for the overlay VPN tunnels going to an internal address range without NAT.
1870
0 Kudos
PeteChen
Staff
Staff
In response to ChriSieb

Created on ‎12-30-2019 04:29 PM

What issue are you currently seeing?
1870
0 Kudos
ChriSieb
New Contributor
In response to PeteChen

Created on ‎12-30-2019 04:37 PM

I am trying to ping a local WAN gateway via underlay from the Fortigate LAN interface through WAN interface ( to emulate local LAN traffic). Ping is not working. Basically:

 

 

LAN-----[FG1,NAT]---------underlay-[WAN Gateway]

               

       

Pretty simple, SDWAN tunnels are up.

 

 



------Original Message------

What issue are you currently seeing?
1870
0 Kudos
PeteChen
Staff
Staff
In response to ChriSieb

Created on ‎12-30-2019 04:47 PM

If you policies are in place, then the next thing I'd look at would be the routing and then SD-WAN rules.
It's possible that due to SD-WAN rules the pings are trying to go out the overlay tunnels which would probably be a no go.

Good luck.
1870
0 Kudos
ChriSieb
New Contributor
In response to PeteChen

Created on ‎12-30-2019 04:50 PM

That's where I'm heading. Thanks, I'll keep you posted.

 

Chris Sieber | NFV Services

NTT Global Networks

m: +1.303.828.7549

o: +1.720.475.4107

csieber@nttglobal.net

 

 



------Original Message------

If you policies are in place, then the next thing I'd look at would be the routing and then SD-WAN rules.
It's possible that due to SD-WAN rules the pings are trying to go out the overlay tunnels which would probably be a no go.

Good luck.
1870
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.