Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Branch fortigate setup advice needed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Branch fortigate setup advice needed
Hi,
I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:
1.branch internet is routed back thru HQ fortigate
2.access from internet like wan management and SSL VPN on branch should be possible
3.access to other lan subnets on branch side should be accessible.
Now my concerns:
1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 172.50.1.0/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.
2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.
How could I resolve this issues?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Tutek , SDWAN rules will help to properly route the traffic.
All you need is to properly configure the SDWAN rules.
I would go in this way:
1. Traffic traversing the Fortigate destined for the HQ and Internet to be routed via SDWAN rules towards the HQ via IPSEC tunnels.
2. management access to Branch FGT and sslvpn via static default routes.
Ahmad
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
in point 1 you have to configure rule with local subnet 172.50.1.0/24 and destination 0.0.0.0/0 (internet), how then users from this local subnet will access to other local subnet 172.50.2.0/24 ? - this will not work
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More specific routes take precedence. 172.50.2.0/24 is a more specific route than 0.0.0.0/0 so it will be chosen first. Any traffic that doesn't match any other specific routes will be sent to the default gateway. This is basic network routing.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I came from microtik where ipsec selectors don't care even on locally connected subnets what is in ipsec selectors then it is steal by ipsec.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That seems like really weird behaviour. But yes, IPsec in Fortigate (and many other vendor) selector only comes into play if the traffic is routed towards the interface that is attached to the IPSec tunnel.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I will have two defaults routes, one in sd-wan rules with destination to 0.0.0.0/0 (internet) thru ipsec tunnel. And the second system default route with destination 0.0.0.0/0 thru wan1 (management, ssl vpn) right ?- will this work?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would set the interface mode on the IPSEC with BGP personally. If you want to do static routes you can. Any connected interfaces will have priority in the route table over a static route so SSL-VPN will not be an issue. If want direct access into the fortigate from the wan but not have clients go out that same wan, then when you create the default route for the WAN port, set the distance the same as the route to the VPN tunnel but have a priority value on the route higher. This will allow it to be in the route table (to accept incoming connections) but will send data out the other wan port.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to configure router in your way, first created two ipsec tunnels and added as sd-wan members "Centrala" but this is impossible to set priority to routes with destination 0.0.0.0/0 it always automatically set 1. So I have static route to ipsec SD-WAN zone with priority 1, and static route to virtual-wan-link priority 1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The priorities would be if you are not using SD-WAN. If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic. If you never want internet traffic to go out the virtual-wan-link ports then you can adjust the interface cost under the SD-WAN zone/interface configuration.
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/328009/interface-cost
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- ForticlientVPN - Permission denied (-455) 372 Views
- ADVPN Tunnel Packet Loss Issues 214 Views
- Problem with Configure SAML SSO for... 132 Views
- Issues with FortiClient EMS on macOS 240 Views
- Issues with IPsec VPN and RTSP... 187 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.