I have following situation: I have two sites connected with an IPSec VPN tunnel. The tunnel is running and I can reach the servers of the other site without any problems from the internal network. So far so good.
Normally, my servers run in Site A. When I connect to the services there with an end device over the Internet, it works fine. Now I have set up the same servers in Site B as Hyper-V failover (with different IP addresses). What I want to achieve is: Should the servers in Site A fail and the failover servers in Site B start. The firewall in Site A should not send the packets to the local server (which is not running), but to the servers in Site B via the VPN tunnel (like in the screenshot).
Can anyone tell me, is this even possible?
On Site A I tried to change the Policies from Local Server VLAN to the IPSec Tunnel and reconfigured the VIPs, but the packets doesn't seem to arrive at the Site B Firewall (according to the logs).
I would be glad if anyone could tell me if this scenario is even possible or not.
Top of mind, I'd probably approach this by using public DNS failover, so that when the servers are live in Site B the user traffic is processed by the Site B firewall. This would probably maintain consistency for the user experience instead of adding latency with the traffic traversing the IPSEC tunnel. This would also allow for Site A to be completely down, letting Site B take over gracefully both on the server and network side. This type of failover is available through most major DNS providers. FortGLSB could also be leveraged for this approach and FortiADC could also handle this from a loadbalancing perspective.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.