Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Best Design Options - Dual VPN & point to point fiber/ethernet connection

Hi All,


I'm new to Fortinet/Fortigates and so I have been reading a lot of Cookbooks the last week or so, but I thought I'd get some input here as well on designing this for automatic fail over and redundancy.


We have purchased two 200E units.  One will be located at a data center and the other at the main office.  At the main office, we have two internet connections and will have an Ethernet handoff from a local fiber provider that will give us a 1Gbps connection to the data center as well.  At the data center, we'll have one internet connection and the other side of the fiber/ethernet connection.


I wanted to make sure I'm on the right track here so I thought I'd run this by everyone to see if you have any additional thoughts.


Main Office:

Created SD-WAN Interface with two internet connections with performance SLA.

Created two VPN tunnels to data center with the individual internet connections and modified static route distances.


At Main Office and Data Center:

Created VPN tunnel to main office with single internet connection


Both Locations:

Once the point to point is delivered, I will add it to another interface and add another static route with a lower distance than the VPN(s).

I'll then add a system link-monitor to both ends of the point to point in order to monitor it for failure and automatically bring up the VPN.





Esteemed Contributor III

That would work. I would use a routing protocol like BGP between two locations though.

But technically you can put those all three VPNs+P2P links on the same SD-WAN at the main office with those internet interfaces (totally 5 member interfaces), at the same time setting up SD-WAN on the datacenter side (3 member interfaces or 4), then you set the same criteria on both sides to use one of them at a time per traffic type for both directions.

But I haven't seen a report on the forum from whom succeeded this yet.


New Contributor

Instead of differentiating distance you may want to use priority instead.  Generally we make tunnel-interface's with /32 IP's assigned.  We then run the link-monitor's over those tunnels with the tunnel-interface IP's being the source and destination of the link-monitor check.  This way the primary and failover tunnel is up and ready to go, the routes are in the routing table, and there is no need for the secondary tunnel to negotiate or come online.  Ultimately this leads to faster failover times and by setting IP's on the tunnel interfaces you have more granularity in how you configure your link-monitor policies.  Also if you ever decide to run OSPF or BGP over the tunnel's you already have IP's on them ready to go.  


Also make sure to setup a blackhole route for all private IP space.  This way the Fortigate will never forward the traffic to its default gateway/s if the tunnel is down.