Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Is it possible to configure VRF aware ADVPN

Hi this amazing community!

I am pretty new in Fortinet world (from basically cisco background). Company advised to see alternate vendor so i am considering Fortinet stack as better fit for us. I know its more like consultation questions but want to hear from you all based on your experience:

1. Can we configure front door VRF in ADVPN like in DMVPN? main reason is security (separate internet and local traffic on vrf level). My thought is we probably don't need VRF as its firewall where we can enable security feature on public line but my manager pushing for front door VRF to separate traffic saying security reason. 

2. Can we assign Public IP behind the FortiGate (without NAT) device? We will gone have PA for client VPN (for at least 1-2 yrs).

3. Can we assign multiple Public IP on a WAN interface?  we have 2 block of /29 public from a provider and another /32 just for internet. from that two /29, some service needs direct public IP (like client VPN) and some other services just need public IP directly. and some we will use for VIPs.


Appreciates for any insight/recommendation/advise.





I may not have the exact responses to your questions but I hope it will help.

1. I actually don't know ADVPN can be VRF aware but I think doing it with a dedicated VDOM can be a satisfying solution for you.

2. Didn't try it in NAT mode (however I guess it is doable) but it should be easily done with transparent VDOM.

3. Certainly you can, just add as many secondary addresses to your WAN interface as you need.

New Contributor

im currently experimenting with this and have it working. my lab is three fw creating an advpn hub and spoke network.

1. enable encapsulation vpn-id-ipip under your phase1 interfaces.

2. create a vrf and assign the ce role to it with rd, im/ex statements and assign the default vrf used for the hub and spoke to pe role.

we back to back the ce/pe with a seperate business(customer) fw that only knows the routes of the ce vrf.

3. you must enable "pass AS number" in bgp config on the customer fw.



If you want to enable route leaking between the pe and ce or ce to ce you need to do it on the pe/ce and enable vdoms. 

New Contributor

Testing it with the 7.2.7. So far so good. 

Top Kudoed Authors