FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff
Article Id 372268
Description This article describes how to configure ADVPN v2.0 on existing ADVPN v1.0 tunnels.
Scope FortiGate v7.4.2+.
Solution ADVPN v2.0 was introduced in FortiGate v7.4.2 onwards to overcome the weaknesses of ADVPN v1.0 when configured with SD-WAN.

ADVPN v2.0 focuses on ADVPN 2.0 edge discovery and path management.

In Edge Discovery, the following is added:
  • The shortcut-query must be delivered to the remote node through any available path.
  • The shortcut-reply is extended (with remote spokes’ participating links & health-checks, and transport-groups).

Transport Groups are added to each member under the SD-WAN configuration. Members of the same transport group can create shortcuts with each other.

 

config system sdwan
    config zone
        edit <zone-name>
            set advpn-select {enable | disable}  <----- Enable means ADVPN v2.0 is enabled.
            set advpn-health-check <health-check name> <----- This health check information is sent to other spokes in shortcut-reply.
        next
    end

    config members
        edit <integer>
            set transport-group <integer>  <----- Transport group ID can be added here.
        next
    end

    config service
        edit <integer>
            set shortcut-priority {enable | disable | auto}  <----- Enable or disable the option to prioritize ADVPN shortcuts over overlay parent interfaces when SLA mode or link cost factor mode conditions are met. 
        next
    end
end

 

In cases where branches have interfaces that are not compatible to establish shortcuts like MPS and and ISP, the configuration below can be used, where all of the SD-WAN members are defined as 'transport-group's.
VPN1 and VPN2 are overlay interfaces established via the ISP. VPN3 is overlay established using a MPLS. VPN1 and VPN2 are part of 'transport-group 1', while VPN3 is part of 'transport-group 2'.
This instructs the spoke FortiGate device to build shortcuts only between members of the same protocol group.


config members
    edit 1
        set interface "VPN1" <----- ISP.
        set zone "overlay"
        set transport-group 1
    next
    edit 2
        set interface "VPN2" <----- ISP.
        set zone "overlay"
        set transport-group 1
    next
    edit 3
        set interface "VPN3" <----- MPLS.
        set zone "overlay"
        set transport-group 2
    next
end

 

In Path Management, the following is added:

Path selection is determined by combining local information, remote information, and the SD-WAN rule mode (sla, priority).

Based on the information received from all links on other spokes, local spokes choose a path with which to create shortcuts.

 

To check what information is being sent by the remote Spoke, use the 'diagnose sys sdwan advpn-sessioncommand:

Screenshot 2025-01-24 093438.png
This command gives the following:
  • Selected path per service ID.
  • Information about the selected local interface and remote IP (underlay and overlay).
  • This can change as health information is updated.

 

Note: By default, ADVPN v2.0 is disabled. This means that after upgrading to FortiOS v7.4.2, ADVPN v1.0 will continue to operate unless the ADVPN v2.0 framework is explicitly enabled. ADVPN v2.0 must be enabled per SD-WAN zone. Before migrating to ADVPN v2.0, ensure that all devices are upgraded to FortiOS v7.4.2 or later.

ADVPN v1.0 and ADVPN v2.0 can coexist in a mixed environment. However, for full interoperability and to leverage the benefits of ADVPN v2.0, all participating devices should be upgraded to FortiOS v7.4.2.

 

Related documents:
ADVPN2.0 Admin Guide
ADVPN2.0 New features

Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0
BGP overlay for ADVPN2.0