Hi,
I have some questions about some changes we are about to make on our FortiGate 501E stack. We are connecting 2 WAN (WAN1 and WAN2) connections to our Fortigate 501E. Both interfaces have their own public IP. Outbound/inbound connectivity should failover if 1 link fails. We prefer to use WAN1 if available. We also use BGP to announce a set of IP's. I will have 2 BGP neighbors. WAN1 and WAN2 both have their own neighbor.
Some questions about this:
* For the dual WAN, is the best option to use SDWAN? * If I create the SDWAN and add the 2 interfaces to it (WAN1 cost 0, WAN2 cost 10), do I still need to create an SLA policy? * A VIP IP can't be assigned to the SDWAN interface. If the VIP is bound to WAN1, will it still work when WAN1 is down? * Same for VPN tunnel. It can't be bound to SDWAN, only to an SDWAN member (WAN1) * How do I force that all BGP announced traffic comes via WAN1? So I want that the shortest route is announced via WAN1. Can I do a path extension or something on WAN2 neighbor?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you ever get this accomplished? I missed this post but I do have some experience with this due to our own environment.
I would guess that SD-WAN is not the best option for you since it sounds like you have your own address space. It would probably not do what you would be expecting it to do since your inbound traffic would choose ISP based on BGP routes.
* For the dual WAN, is the best option to use SDWAN?
SDWAN is for outbound traffic
* If I create the SDWAN and add the 2 interfaces to it (WAN1 cost 0, WAN2 cost 10), do I still need to create an SLA policy?
i would in fact I would make all traffic perfer wan1 or wan2
* A VIP IP can't be assigned to the SDWAN interface. If the VIP is bound to WAN1, will it still work when WAN1 is down?
IDNK but gut feeling says no.
* Same for VPN tunnel. It can't be bound to SDWAN, only to an SDWAN member (WAN1)
That's correct, your bound to the physical interfaces ( wan1 or wan2 ) so for HA vpn use a dynamic routing is the best method ( ospf,rip, bgp ) control traffic by metric
* How do I force that all BGP announced traffic comes via WAN1? So I want that the shortest route is announced via WAN1. Can I do a path extension or something on WAN2 neighbor?
You can try prepend, but that WILL NOT FORCE ALL UPSTEAM TRAFFIC TO HONOR IT, you have no control or clue on what each upstream is doing with regards to route-policy or locl-Preference
In my opinion I would do the bgp on a router and not even invoke SDWAN with bgp YMMV. Asymmetrical issues would my biggest concern.
Ken Felix
PCNSE
NSE
StrongSwan
I have highly asymmetrical connections to two different ISPs using BGP with prepends and it works great. No need to buy an extra router when the FortiGate can handle it. I agree about not using SDWAN in this scenario.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.