Hi,
I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:
1.branch internet is routed back thru HQ fortigate
2.access from internet like wan management and SSL VPN on branch should be possible
3.access to other lan subnets on branch side should be accessible.
Now my concerns:
1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 172.50.1.0/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.
2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.
How could I resolve this issues?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 11-15-2022 10:49 PM Edited on 11-15-2022 11:12 PM
ok, so in Network-->Static Routes I wiped everything.
on SD-WAN zone I have changed wan1 and wan2 links cost to be higher that two ipsec interfaces in zone "Centrala" :
Now created sd-wan rules, one from local to any ( HQ Internet) with Zone preference "Centrala". And another one to access fortigate to local wan links, so source all an destination all, with zone preference virtual-wan-link.
The results are that earlier I could ping and access to wan2 interface now i can't.
you still need the 0.0.0.0/0 routes with the SDWAN zones in the route table.
If you are looking for user traffic to only use the Centrala SDWAN zone, then you don't need sdwan rule 2. Local Out traffic (traffic generated by the Fortigate, ie logs, fortiguard, authrequests, etc) have settings to use either SDWAN rules or specify interfaces as well. This article talks about the Functionality of set interface-select method:
You told me in previous post "If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic. "
so do I need anything in static routing or can I setup all in sd-wan rules, if I care about web management and incoming ssl vpn?
Deleted rule 2 from sd-wan, so now when I want to create another sd-wan rule, to allow local branch lan to access mgmt subnet on HQ side using "Centrala" zone, do I need configure the same routing in network--static routing?
That is, if I understand correctly so every rule added in sd-wan should have its equivalent in network-->static rules, right?
sorry for the confusion, my statement "If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic." was about not having to set the Priority values.
When you create and SDWAN rule, you are basically creating a policy route and policy routes have precedence over static routes. You can see them by doing #diagnose firewall proute list.
SDWAN rules are to steer outbound user traffic through specific interfaces based on the defined parameters. So if you want they to access the HQ management you just need to have the appropriate sdwan rule for the source/destination/interfaces needed. The extra static route is not necessary.
I hope that helps to clarify the way sdwan works in relationship to the routing table.
You might do well to review the SD-wAN documentation so you can fully understand what it is that you are deploying: https://docs.fortinet.com/document/fortigate/6.4.11/administration-guide/218559/configuring-the-sd-w...
Created on 11-16-2022 10:42 AM Edited on 11-16-2022 10:43 AM
Thanks Graham for sure will read it.
I also found such an interesting site https://docs.fortinet.com/sdwan/7.0
that I want to familiarize myself with.
So if sd-wan rules (policy rules) have higher precedence overs static, then why having this second config at sd-wan:
at the same time having empty static routes, it didn't work (i.e. I lost access to wan interfaces)?
Rule 2 in that screen shot would not be necessary unless you had other subnets not defined in the "lan address" object that needed access to the internet
I just can't understand why this one sd-wan rule that was configured:
source (all) destination (all) go to wan1, wan2
didn't work - I lost access to the router on wan interfaces.
As soon as I added the static route in Network-->Static Routes:
destination 0.0.0.0/0 ---> gateway virtual-wan-link (wan1, wan2) then immediately wan access started working. After all, as you say sd-wan rules are more important than static rutes.
Like I mentioned though, SDWAN rules only apply to forward traffic on the network. Any Local traffic on the fortigate (Management, DNS, Fortiguard, etc) is not handled in the same manner since it is self-originating and not forwarded through the device.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.