Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Branch fortigate setup advice needed

Hi,

I would like to connect branch 80f fortgates to main HQ using sd-wan, conditions that must be meet:

1.branch internet is routed back thru HQ fortigate

2.access from internet like wan management and SSL VPN on branch should be possible

3.access to other lan subnets on branch side should be accessible.

 

Now my concerns:

1. If I create ipsec tunnels between HQ and branch in tunnel mode so remote branch subnet 172.50.1.0/24 will have in ipsec selector destination as 0.0.0.0/0 - then I will not have access to other local subnets on branch side because ipsec steal all traffic and push to HQ.

2.If I create ipsec in interface mode, then I need to create static route with destination like 0.0.0.0/0 and gateway ipsec interface - in this scenario, any incoming connection from internet like remote web management or SSL VPN will be pushed throught ipsec tunnel = no connection.

 

How could I resolve this issues?

27 REPLIES 27
Tutek

ok, so in Network-->Static Routes I wiped everything.

on SD-WAN zone I have changed wan1 and wan2 links cost to be higher that two ipsec interfaces in zone "Centrala" :

Tutek_0-1668581131924.png

Now created sd-wan rules, one from local to any ( HQ Internet) with Zone preference "Centrala". And another one to access fortigate to local wan links, so source all an destination all, with zone preference virtual-wan-link.

Tutek_1-1668581339554.png

 

The results are that earlier I could ping and access to wan2 interface now i can't.

 

distillednetwork

you still need the 0.0.0.0/0 routes with the SDWAN zones in the route table.

 

If you are looking for user traffic to only use the Centrala SDWAN zone, then you don't need sdwan rule 2.  Local Out traffic (traffic generated by the Fortigate, ie logs, fortiguard, authrequests, etc) have settings to use either SDWAN rules or specify interfaces as well.  This article talks about the Functionality of set interface-select method:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Functionality-of-set-interface-select-meth...

 

 

Tutek

You told me in previous post "If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic. "

so do I need anything in static routing or can I setup all in sd-wan rules, if I care about web management and incoming ssl vpn?

Tutek_0-1668612523086.png

Deleted rule 2 from sd-wan, so now when I want to create another sd-wan rule, to allow local branch lan to access mgmt subnet on HQ side using "Centrala" zone, do I need configure the same routing in network--static routing?

Tutek_1-1668612855869.png

Tutek_2-1668612948525.png

 

 

That is, if I understand correctly so every rule added in sd-wan should have its equivalent in network-->static rules, right?

 

distillednetwork

sorry for the confusion, my statement "If you want to use SD-WAN then you just need to create the SD-WAN rule to steer the traffic." was about not having to set the Priority values.

 

When you create and SDWAN rule, you are basically creating a policy route and policy routes have precedence over static routes.  You can see them by doing #diagnose firewall proute list.

 

SDWAN rules are to steer outbound user traffic through specific interfaces based on the defined parameters.  So if you want they to access the HQ management you just need to have the appropriate sdwan rule for the source/destination/interfaces needed.  The extra static route is not necessary.

 

I hope that helps to clarify the way sdwan works in relationship to the routing table.

gfleming

You might do well to review the SD-wAN documentation so you can fully understand what it is that you are deploying: https://docs.fortinet.com/document/fortigate/6.4.11/administration-guide/218559/configuring-the-sd-w...

Cheers,
Graham
Tutek

Thanks Graham for sure will read it.

I also found such an interesting site https://docs.fortinet.com/sdwan/7.0 

that I want to familiarize myself with.

Tutek
Contributor

So if sd-wan rules (policy rules) have higher precedence overs static, then why having this second config at sd-wan:

Tutek_0-1668614697016.png

 

at the same time having empty static routes, it didn't work (i.e. I lost access to wan interfaces)?

distillednetwork
Contributor III

Rule 2 in that screen shot would not be necessary unless you had other subnets not defined in the "lan address" object that needed access to the internet

Tutek
Contributor

I just can't understand why this one sd-wan rule that was configured:

source (all) destination (all) go to wan1, wan2 

didn't work  - I lost access to the router on wan interfaces.
As soon as I added the static route in Network-->Static Routes:
destination 0.0.0.0/0 ---> gateway virtual-wan-link (wan1, wan2) then immediately wan access started working. After all, as you say sd-wan rules are more important than static rutes.

distillednetwork

Like I mentioned though, SDWAN rules only apply to forward traffic on the network.  Any Local traffic on the fortigate (Management, DNS, Fortiguard, etc) is not handled in the same manner since it is self-originating and not forwarded through the device.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors