Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ChrisM589
New Contributor

Created on ‎03-28-2025 05:34 AM

HA WAN Design.

Hi Folks,
Our current WAN backup line isnt working, passes traffic fine but we need to implement BGP. I am thinking of gutting it and starting from stratch.

 

We have two fortigates HA A/P config. At the moment it just uses static routing. See below. This works OK but we need to implement BGP on the external switches for route advertisement for inbound traffic. (Static with our ISP atm). 
However we have a further issue. We are migrating to AWS. The AWS tunnel keys off our WAN1 (fortigate 123.123.123.2) address. Therefore if we get a senario were WAN2 has to take over traffic our VPN tunnel to AWS will drop.

 

Capture2.PNG

 

 

I am thinking of replacing the entire setup with the below. So remove WAN2 (as its IP would never connect to the AWS tunnel). Does this design make sense, using HSRP between the two external switches, the fortigate would have static external route to the HSRP address and the external L3 switches would handle the BGP (our ISP will only add these to the BGP neighbours, I was originally hoping we could do it from the Fortigates but no)

Capture.PNG

 

Feel free to offer constructive criticism etc. Opinions, will it work etc.

 

Chris.

 

 

Labels:
312
0 Kudos
9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-28-2025 11:40 AM Edited on ‎03-28-2025 11:55 AM

not clear about the entire arrangement to me.
- Is it only one ISP providing a redundant connections or two different ISPs? 
- Is the ISP IP xxx.xxx.xxx.xxxs are different on both sides, and are they inside of the 123.123.123.0/24 subnet or "321.321.321.321/30 (which is illegal)" or completely separate subnets?
- Are those /24 and /30 your own IPs with your public ASN or from the ISP(s)?

Toshi

283
ChrisM589
New Contributor
In response to Toshi_Esumi

Created on ‎03-31-2025 03:06 AM

Hi Toshi,

 

Just answering your queries, its a single ISP providing two connections. One for backup.
Yes the ISP ips are different and are different subnets, I am using 321 type number just for example only.
The /24 addresses are our entire public range which need to be accessible for our websites etc, provided by our ISP. The /30 is a later creation which is inherited from former engineers.

 

any feedback welcome.

regards,

Chris.

239
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ChrisM589

Created on ‎03-31-2025 09:03 AM

So basically you're advertising a /24 and a /30, both from the same ISP, to one single BGP neighbor on the ISP side, since the backup is just backup, which would become active only when the primary goes down.

 

Then why do you need to terminate the L3 at two separate switches? I would make them L2 switches and pass the L2 connection to HAed both FGTs and terminate the ISP IP xxx.xxx.xxx.xxx there. Then you can advertise both /24 and /30 from the FGT.

Toshi

159
0 Kudos
GauravPandya
New Contributor III

Created on ‎03-31-2025 04:58 AM

If you are planning to redesign your WAN then I would suggest to use SDWAN feature in this scenario to reduce complexity and better result. Create SDWAN zone, add both your ISPs and just do static routing. This would reduce your BGP headache and complexity.

225
ChrisM589
New Contributor
In response to GauravPandya

Created on ‎03-31-2025 07:11 AM

Hi Gaurav,
Yes considering SDWAN but I have a concern. We have an AWS VPN tunnel which uses the IP of the primary interface. With traffic potentially coming from the second interface couldhave issues ?

BGP is something that our ISP wants, it will help send traffic the correct direction during outage.

 

Chris.

205
0 Kudos
GauravPandya
New Contributor III
In response to ChrisM589

Created on ‎03-31-2025 09:43 AM

Hi Chris,

You can specify VPN and other traffic with certain WAN interface with SDWAN rules so I dont think so there is any concern with AWS VPN traffic.

If your ISP forcing to use BGP then it would be little bit complex. You can refer below thread.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-BGP-and-SD-WAN-for-advertising-...

 

150
0 Kudos
vasilisgogos
New Contributor III

Created on ‎03-31-2025 05:32 AM

Hi,

Since there is only one ISP, you don't have redundancy.

You can use the /30 subnet as P2P with your ISP and advertise the /24 through it directly from the Fortigate.

If you are using BGP for other connections (like VPN with other sites), you can create an ADOM only for BGP advertisement with your ISP.

I suggest changing your Switches to L2 instead of L3.

 

Vasilis

Senior Network Security Engineer
Senior Network Security Engineer
220
ChrisM589
New Contributor
In response to vasilisgogos

Created on ‎03-31-2025 07:14 AM

Hi Vasilis,
In the UK we can order a circuit from one provider (openreach) known as an RO2. Its guaranteed that he two connections do not use the same exchange anywhere.

So for using the /30 connection you are suggesting we run BGP on the fortigates too ? (We currently don't, its just static).

 

Chris.

202
0 Kudos
vasilisgogos
New Contributor III
In response to ChrisM589

Created on ‎03-31-2025 08:03 AM

Hi

From your design, it seems that there is only one link with the provider since you are using the same VLAN on both ISPs (VLAN 100).

 

If the provider has separate paths, then you can configure 2 BGP neighborships with your provider.

Then you can configure SD-WAN with the two links to avoid asymmetric routing. 

You can affect the path selection by adding additional AS PATHS to the advertisement to your provider (if load balancing is not supported from your provider).

Since the /24 subnet can not be used to form BGP neighborship (P2P Subnet), and you already have a /30  subnet for your second link , ask for another /30 subnet for your primary link and build two BGP connections.

 

In my view, the Fortigates should have the  BGP setup to manage the advertisements with ease (route-map out).

 

Vasilis

Senior Network Security Engineer
Senior Network Security Engineer
197
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.