Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
osaleem2_10
New Contributor III

Created on ‎09-08-2025 03:02 PM

FortiSDWAN with one wan internet and multi MPLS

Hi,

 

I have a new deployment for FortiGate as an edge firewall. The latency design involved DC FW acting as both DC and Edge. Now I will implement Fortigate as Edge and do point-to-point with DC FW.

 

The Q is. I do have:

- one Internet link with 2 IPSec over the Internet link.

- 2 MPLS links. One to Cloud servers with paloalto fw, second for my 10 Fortinet branches.

 

For the internet, I will have only 1 link. And over that will build 2 IPsec (One to be a Load balance SDWAN with MPLS to my branches, Second to be a passive link with MPLS to my cloud service).

 

What is the best practice to build that topology? Should I add all three 3 WAN interfaces under the SD-WAN Zone, and with that ZONE create 2 IPSec? Or I have to keep the 3 WAN interfaces without SDWAN zone as normal WAN interfaces, as there is no Load balancing except the connection with branches. Then create SDWAN for IPsec.

 

Kindly for advice for the best practice solution.

Screenshot 2025-09-09 005927.png

OSALEEM2_10
OSALEEM2_10
Labels:
205
0 Kudos
1 Solution
Jean-Philippe_P
Moderator
Moderator

Created on ‎09-15-2025 01:27 AM

Hello again osaleem2_10,

 

I found this solution. Can you tell us if it helps, please?

 

To design the best practice topology for your FortiGate deployment as an edge firewall, consider the following steps:

 

  1. SD-WAN Configuration: Add all three WAN interfaces (Internet link and two MPLS links) to the SD-WAN zone. This allows you to leverage SD-WAN features such as intelligent traffic steering, load balancing, and failover.

  2. IPsec Tunnel Setup:
    - Create two IPsec tunnels over the Internet link:
    - One tunnel for load balancing with MPLS to your branches.
    - A second tunnel as a passive link with MPLS to your cloud service.

  3. Traffic Steering and Load Balancing:
    - Use SD-WAN rules to define how traffic should be distributed across the available links. For example, prioritize the MPLS link for branch traffic and use the Internet link as a backup.
    - Configure load balancing for the IPsec tunnel to branches, ensuring optimal use of available bandwidth.

  4. Redundancy and Failover: Ensure that your SD-WAN configuration includes failover policies to switch traffic to the passive link in case of primary link failure.

  5. Monitoring and Performance: Implement performance health checks on SD-WAN member links to monitor link quality and ensure optimal performance.

 

By integrating all WAN interfaces into the SD-WAN zone, you can take full advantage of FortiGate's SD-WAN capabilities, providing flexibility and resilience in your network design.

Regards,
Jean-Philippe - Fortinet Community Team

View solution in original post

108
0 Kudos
4 REPLIES 4
Jean-Philippe_P
Moderator
Moderator

Created on ‎09-11-2025 01:38 AM

Hello osaleem2_10, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Regards,
Jean-Philippe - Fortinet Community Team
163
tokalno5
New Contributor

Created on ‎09-11-2025 01:48 AM Edited on ‎09-11-2025 01:50 AM By Moderator

Fortinet's SDWAN is not good, companies like Fortinet and Palo alto etc. Have completely ruined the term SDWAN. Automating tunnel creation and pinging across them is not SDWAN. You could already do that from the beginning of time. If that's all you need sure, but to me that ain't SDWAN.

router login 192.168.l.l
router login 192.168.l.l
161
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎09-12-2025 12:05 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Regards,
Jean-Philippe - Fortinet Community Team
140
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎09-15-2025 01:27 AM

Hello again osaleem2_10,

 

I found this solution. Can you tell us if it helps, please?

 

To design the best practice topology for your FortiGate deployment as an edge firewall, consider the following steps:

 

  1. SD-WAN Configuration: Add all three WAN interfaces (Internet link and two MPLS links) to the SD-WAN zone. This allows you to leverage SD-WAN features such as intelligent traffic steering, load balancing, and failover.

  2. IPsec Tunnel Setup:
    - Create two IPsec tunnels over the Internet link:
    - One tunnel for load balancing with MPLS to your branches.
    - A second tunnel as a passive link with MPLS to your cloud service.

  3. Traffic Steering and Load Balancing:
    - Use SD-WAN rules to define how traffic should be distributed across the available links. For example, prioritize the MPLS link for branch traffic and use the Internet link as a backup.
    - Configure load balancing for the IPsec tunnel to branches, ensuring optimal use of available bandwidth.

  4. Redundancy and Failover: Ensure that your SD-WAN configuration includes failover policies to switch traffic to the passive link in case of primary link failure.

  5. Monitoring and Performance: Implement performance health checks on SD-WAN member links to monitor link quality and ensure optimal performance.

 

By integrating all WAN interfaces into the SD-WAN zone, you can take full advantage of FortiGate's SD-WAN capabilities, providing flexibility and resilience in your network design.

Regards,
Jean-Philippe - Fortinet Community Team
109
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.