FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff
Article Id 372268
Description This article describes how to configure ADVPN2.0 on existing ADVPN1.0 tunnels.
Scope FortiGate v7.4.2+.
Solution ADVPN 2.0 was introduced in FortiGate 7.4.2 onwards to overcome the weaknesses of ADVPN1.0 when configured with SD-WAN.

ADVPN2.0 focuses on edge discovery and path management

In Edge Discovery, the following is added:
  • The shortcut-query must be delivered to the remote node through any available path.
  • The shortcut-reply is extended (with remote spoke’s participating links & health-checks and transport-groups).

Transport Groups are added to each member under the SD-WAN configuration. Members of the same transport group can create shortcuts with each other.

 

config system sdwan
    config zone
        edit <zone-name>
            set advpn-select {enable | disable}  <----- Enable means ADVPN2.0 is enabled.
            set advpn-health-check <health-check name> <----- This health check information is sent to other spokes in shortcut-reply.
        next
    end


config members
    edit <integer>
        set transport-group <integer>  <----- Transport group ID can be added here.
    next
end


config service
    edit <integer>
        set shortcut-priority {enable | disable | auto}  <----- Enable or disable the option to prioritize ADVPN shortcuts over overlay parent interfaces when SLA mode or link cost factor mode conditions are met. 
    next
end
end

 

In Path Management, the following is added:

  • path selection is determined by combining local information, remote information, and the SD-WAN rule mode (sla, priority).

Based on the information received by all links on other spokes, local spokes choose a path with which to create shortcuts.

 

To check what information is being sent by remote Spoke, use the 'diagnose sys sdwan advpn-session' command:

Screenshot 2025-01-24 093438.png

This command gives the following:
  • Selected path per service ID.
  • Information about selected local interface and remote IP (underlay and overlay).
  • This can change as health information is updated.

 

Related documents:
ADVPN2.0 Admin Guide
ADVPN2.0 New features

Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0