Dear all
We have a Fortigate VM in Azure (6.4.10) which is supposed to have about six (6) IPSec tunnels to ZScaler.
The reason for that many tunnels: Each tunnel is supposed to only offer 400 Mbit/s (we tested 1 Gbit/s, but its still not enough).
This is why I wanted to configure six (or so) IPSec-Tunnels, then put them in one SD-WAN zone, use a single performance SLA and then use a SD-WAN Rule to ZScaler Entry Point (eg. 111.211.222.233) with "Maximize Bandwith". The hope was it will use all the IPSec tunnels.
However, I am failing at the routing (static route).
When configuring a single static route to 111.211.222.233 using one single tunnel, I can see the routing entry in the routing table - and it works.
However, using the SD WAN zone as interface in the static route results in NO entry in the routing table. None, whats'o'ever.
As far as I understand this is because my IPSec tunnels to ZScaler don't have any IP addresses allocated in the "system interface" part (no local ip or remote ip). According to my information ZScaler does not provide that.
Am I the only one failing at this part? Is there no solution for connecting the Azure clients via Fortigate VM to ZScaler IPSec and SDWAN?
Thanks for your help
Best regards
Stefan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
It is some time since I was dealing with SDWAN and Zscaler. But you shouldn't need to configure overlay IP address as gateway. You can, configure dummy IP address as here:
I would verify that the health-check is not removing all routes from routing-table because health-check is down. I would verify if I can see routes in routing database:
get router info routing-table database
Hello,
It is some time since I was dealing with SDWAN and Zscaler. But you shouldn't need to configure overlay IP address as gateway. You can, configure dummy IP address as here:
I would verify that the health-check is not removing all routes from routing-table because health-check is down. I would verify if I can see routes in routing database:
get router info routing-table database
Good day Adrian
Thank you SO much for your reply.
I didn't add the underlay (internet connection) as SDWAN zone. I first tried to just add the IPsec tunnels to a SD-WAN Zone and gave them (in the SD-WAN-Zone as members) a fake/dummy IP address.
And that did it. After that the routing entries were there and the performance SLA for ALL the IPSec tunnels worked.
I understand that the underlay (internet connection) might at some point or with other features be necessary (we have internet as seperat SD-WAN Zone for branches), but in this particular instance it seems not necessary at the moment.
Again thanks a lot, much appreciated
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.