Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

3-Hub multi branch VPN config

Hi All, I've attached a .jpg explaining what I'm looking to do, but I'm new to fortigate products so still lower on the learning curve. 


I've got a central HQ with 2 ISP's, and address space of our own using BGP for failover capability.

I've got 2 data centers where a majority of the servers run.

Those 3 sites are all connected with high speed 10GB capable routed links, sharing routes using OSPF.

All 3 sites are running 601E's in HA mode, with everything dual-connected.


I have multiple branch offices that need access to the 3 sites.  Some branches have multiple ISPs.  A few have only a single.

All branches will need access to at least HW and DC1, and we would like DC2 as an option also, because as long as you hit one of the 3 connected hubs, you're on the ring and can get where you need to go.  The branches don't necessarily need to communicate with each other, so I'm not sure if I'd have them mesh, or not.


I'm not sure if I'm better off configuring static tunnels on all of the links between all of the data centers, or if ADVPN would be the better way to go.  At this point, I've done some static tunnels on the Fortigate, but never done ADVPN, so that would be new for me.


Does anyone have any good input on the best way to attack this?


Also, in theory, since we have BGP running with our own IPv4 space at HQ, we could build a single tunnel to HQ over the active provider, but I assume with SD-WAN we're better off doing dual tunnels, one to each ISP's actual physical connection, and let SD-WAN pick the better provider?


Thanks for any tips you can throw in.


Top Kudoed Authors