I am currently in the process of evaluating FortiGate firewall to be deployed at customer locations. The plan is to use IPSec tunnel between the FortiGate and a VPN gateway (Cisco or FortiGate) located in the data center. The plan is to share the same VPN gateway (pair to be precise) for multiple customers. On the Cisco platform I am used to using VRFs which allow the data traffic from customers to be separated. One of the options I will be considering is " VRF Aware IPSec" feature available on Cisco routers. Is something similar possible with the FortiGate firewalls?
Should add that I don' t want to use VDOMs as the plan is to keep the tunnel end point IP address the same for all the FortiGate firewalls that are deployed.
We use vdoms for that purpose. If don't, your customers share the same routing domain at the termination point of VPN, which defeats the purpose of having separate MPLS(VRF) network per customer on Cisco side.
I played with it , but not with tunnels. I would not see any reason why it would not work, fwiw. So vdom would be cost prohibit in that you have hard set limits for the appliance and then license addon cost $$$$, VRF could be stroke upto 32 and then you deal with it as you by adding more fortigate and more IPs and go at it.
The other issues which is more pressing ( imho ) , how much ipsec traffic and a performance degradation for up to 32x ipsec-tunnels. ( i.e are you using a mid-range or entry level fortigate, what's the total IPSEC traffic in bps that is expected, etc.…..)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.