Hello,
I'm in the final choice for a SD-WAN solution, and Fortinet seems very interesting. But i have only a few demo and commercial inputs.
I have a classic network with a HQ Datacenter, and a lot of remote sites, all connected with MPLS, no NAT and dynamic OSPF routing (manage by a Cisco L3 switch , and MPLS Link pass through an ASA Firewall).
I want to add bandwidth in remote site with a second MPLS Link and a Internet Link for a total of 3 Wan Links.
So could i have some real experience of SD-WAN architecture that can answer theses questions :
- i will have 1 MPLS 10MB + 1 MPLS 4MB + 1 INTERNET 10MB ; can i put all 3 in one SD-WAN interface, and manage routing/priority with rules likes application / dst IP or TCP Port ? Exemple the main https application pass thru the 10MB MPLS wan interface ?
- i have to create a VPN Tunnel on the Internet Wan Interface to the HQ ?
- Can the remote network behind the Fortinet (and SD-WAN) can be announce with OSPF ?
- There is a central web interface to manage all the Fortinet ?
Maybe some basic questions, but there is a lot of solution now and hard to make a choice ...
Thank's
- i will have 1 MPLS 10MB + 1 MPLS 4MB + 1 INTERNET 10MB ; can i put all 3 in one SD-WAN interface, and manage routing/priority with rules likes application / dst IP or TCP Port ? Exemple the main https application pass thru the 10MB MPLS wan interface ?
No , that's not how it work, you Could apply MPLS10/4 and load-share and balance the traffic over those two links and the virtual-wan. Remember when you use SD-WAN the individual links are not configurable in a policy
- i have to create a VPN Tunnel on the Internet Wan Interface to the HQ ?
That should be doable in FortiOS and with SD-WAN interface
- Can the remote network behind the Fortinet (and SD-WAN) can be announce with OSPF ?
Not following you, but BGP is support in the new SD-WAN .Never seen it deployed fwiw
- There is a central web interface to manage all the Fortinet ?
Not following you, but are you asking about a fortimanager ?
PCNSE
NSE
StrongSwan
Adding some of my cheese:
- OSPF:
why do you think you can NOT publish the network behind the FGT on OSPF? Isn't that what dynamic routing protocols are there for? I don't have one running but I assume yes, that's the way it works. Have a quick look at the Handbook, Advanced Routing.
- VPN:
if you create a SD-WAN (lb) interface the VPN would be a sub-interface to it. You cannot use the individual ports which make up a SD-WAN port, as mentioned.
Will be funny if the external IP address changes. Dial-out VPN is OK with this but site-to-site??
- central mgmt:
no, each FGT/cluster is managed by it's own web GUI/ssh CLI. For logging and reporting, use a FortiAnalyzer. For handling configurations, templates, firmware bulk upgrades, there is the FortiManager. I personally don't like it but have a look yourself (demo VM running for 14 days for free).
I've recently seen a network of FGTs where each FGT was managed on it's loopback interface. All those addresses came from a 'supernet' comprising all FGTs. Nice touch as they will be accessible over any interface (if allowed).
Thank's for you informations. I read a lot and i can see that the Fortinet OS has a lot of possibilities. Not sure that SDWAN is the only option, i can make what i want with multiple WAN access and rules. But the idea of the SDWAN is to deploy a remote site faster with template
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.