Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nielsvangestel
New Contributor

Fortinet SD Wan with MPLS Network with private firewall

sdHello,

 

this is my first time on this forum and have a very specific question. as a new vendor for fortinet but a long time vendor of mpls solutions i have a question about the sd wan functionality in the fortigate?

 

Our current setup is a MPLS solution that is installed with the customers own private firewall managed by their mother company or their current it partner.

 

because we only want to give the customer more data about network usage, export this data and make it available in our own portal i would like to know if it is possible to place a fortigate between the mpls router and the customers firewall and that we only have the sd wan capacities of the fortigate?

 

apparantly nouage and meraki have this possibility.

 

Thanks for all the feedback regarding this question and the help!

8 REPLIES 8
AlexC-FTNT
Staff
Staff

MPLS is a private connection (point to point) given through the ISP, which terminates at the MPLS router. From that router you get (hopefully) an ethernet cable for the office connection. I don't think there's any limitation from plugging this cable into the FortiGate, and configure it as part of SDWAN. You can have even more ISP (non-MPLS) connections in this SDWAN on FortiGate.

On the other hand, if there is some routing or setup involved in your existing MPLS router (certain local subnet routed to MPLS, and all other traffic to public internet link) then you need to know this setup, and apply it in the FortiGate.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
nielsvangestel

Hello Alex,

 

the configuration info we can easily acquire because we provide the MPLS with the ISP of the customer.

 

So we would be able to disable firewall features on the fortigate and only use the sd wan functionality? so that the customer can keep his own private firewall like watchguard or another vendor?

AlexC-FTNT

Absolutely.
The SDWAN is only handling the routing. The firewall capabilities are controlled through firewall policies, and can all be disabled (set utm-status disable). In addition to that, there are some routing-related firewall checks which should not be disabled, for example asymmetric routing or RPF  (https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementatio...). In some cases (when NAT is used), the session helpers may also need to be disabled.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Toshi_Esumi
Esteemed Contributor III

The biggest question is how the customer's internet path comes in this picture. Split at their FW and not to come toward FGT->MPLS direction? Then what's the purpose of FGT SD-WAN? Are there multiple MPLS circuits into this location?

 

Toshi

nielsvangestel

Hello

 

the solution that we want to setup is that we make reporting available for our customer regarding bandwith etc. because of the sd wan solution.

 

We cannot have reporting from the MPLS and we dont have the firewall of the customer and have that data.

 

so i want to provide a solution that we set an extra box between the router and firewall.

 

the setup is with all mono sites MPLS on a customers location

Toshi_Esumi
Esteemed Contributor III

I don't know if you can get all you want via the inserted FGT. But to me it's quite expensive solution to get just the report.

 

Toshi

nielsvangestel

What data is available through the sd wan functionality?

Toshi_Esumi
Esteemed Contributor III

That needs to be answered by somebody from FTNT, or who actually use it for SD-WAN reporting. We don't. You probably need FortiAnalyzer or FortiAnalyzer Cloud.

Labels
Top Kudoed Authors