Hey guys
I am hoping for some assistance/advise on Best Practice. We are currently running 2 x Fortigate Appliances One in HQ (200e) and one in Branch Office (300e). (Bigger in Branch office as we use it to deliver Internet services to Tenants) Both have Internet Breakout (1GB) and we also have a (1GB) P2P connection between both sites. I am looking to achieve the following:
Internal Traffic between Branch and HQ to flow via the P2P. IF P2P goes down then traffic to flow via a VPN
All Internet Traffic breakout locally however for business continuity I would like to push the Internet Traffic down the P2P link and break out and relevant office. i.e if HQ Internet goes down route it via P2P and break out and Branch Office.
The Firewalls are in place and running as is but dont have the fail over configuration in place. I have had a brief look at SD WAN but am unsure if this is the right way to go. From what I understand if I were to go down SD-WAN I would need to remove current policies on interfaces before I can add them to the SD-WAN.
Another option I have investigated but not had much success is using 2 Routes and using system monitor to enable route after checks.
Any advice would be much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There are basically three options. 1) SD-WAN, 2) Static routes with priority + linkmonitor, 3) Dynamic routing protocols.
You're right about the concern to go to SD-WAN. Besides, to me it's not flexible to accommodate multiple domains to balance/failover, like split internet and VPN traffic as SD-WAN1, 2, ... (similar to VRRP1, 2, ...).
If you want to stick to static routes, you can do that with priority. Use default priority (0) for the p2p route and set higher number, like 10, priority on the VPN route. Then set linkmonitor through the p2p so that the main static route would be removed when it goes down.
Dynamic routeing option is what we regularly do because we're multi-vendor environment and routing protocols are generally compatible throughout all routing devices. But it requires experience.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.