IPSec tunnels from Azure Fortigate VM to ZScaler and SD-WAN
We have a Fortigate VM in Azure (6.4.10) which is supposed to have about six (6) IPSec tunnels to ZScaler.
The reason for that many tunnels: Each tunnel is supposed to only offer 400 Mbit/s (we tested 1 Gbit/s, but its still not enough).
This is why I wanted to configure six (or so) IPSec-Tunnels, then put them in one SD-WAN zone, use a single performance SLA and then use a SD-WAN Rule to ZScaler Entry Point (eg. 188.8.131.52) with "Maximize Bandwith". The hope was it will use all the IPSec tunnels.
However, I am failing at the routing (static route).
When configuring a single static route to 184.108.40.206 using one single tunnel, I can see the routing entry in the routing table - and it works.
However, using the SD WAN zone as interface in the static route results in NO entry in the routing table. None, whats'o'ever.
As far as I understand this is because my IPSec tunnels to ZScaler don't have any IP addresses allocated in the "system interface" part (no local ip or remote ip). According to my information ZScaler does not provide that.
Am I the only one failing at this part? Is there no solution for connecting the Azure clients via Fortigate VM to ZScaler IPSec and SDWAN?
I didn't add the underlay (internet connection) as SDWAN zone. I first tried to just add the IPsec tunnels to a SD-WAN Zone and gave them (in the SD-WAN-Zone as members) a fake/dummy IP address.
And that did it. After that the routing entries were there and the performance SLA for ALL the IPSec tunnels worked.
I understand that the underlay (internet connection) might at some point or with other features be necessary (we have internet as seperat SD-WAN Zone for branches), but in this particular instance it seems not necessary at the moment.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.