Hey all,
3 branch business, maybe expanding to a 4-5 branch business in next two years.
Company might want to switch to fortigates as branch routers/firewalls, and fortiswitches for layer 2.
What would you recommend I do for a setup? Currently using Cisco site to site VPN tunnels, but if we want to expand I'm worried it's not feasible to continue site to site. Thinking of a bit of a network change when moving to fortinet hardware.
Any suggestions? Any thinks I should look up to make the swap easier?
Hi @murre ,
For a growing environment of three to five FortiGate branches, replace individually built site-to-site tunnels with a hub-and-spoke Auto-Discovery VPN (ADVPN) plus SD-WAN: deploy a single dial-up IPsec template on an HQ hub, let each branch auto-register as a spoke, and allow the hub to trigger on-demand shortcut tunnels between spokes for mesh-like performance; dynamic routing (OSPF/BGP) then advertises every LAN while SD-WAN steers traffic over the best WAN link with sub-second fail-over, so you keep just one VPN definition per branch, add new sites in minutes, and still achieve direct branch-to-branch connectivity when needed.
See the table below for a basic comparison between manual IPsec and dial-up configurations:
Feature | Manual S2S | ADVPN hub-&-spoke |
Number of tunnels | N × (N-1) / 2 → 10-15 tunnels at 5 sites. | Always spokes = number of branches (e.g. 5) plus automatic shortcuts. |
Add a new branch | Create tunnels to every site by hand. | Add one “dial-up” VPN definition on the hub; branch self-registers. |
Performance branch-to-branch | Traffic hair-pins through HQ unless you build full mesh. | Hub instructs spokes to stand up a direct tunnel on demand. |
Fail-over multiple WAN links | Have to script it or run two tunnels per peer. | Built-in with SD-WAN + SLA. |
Management | Each change touches every firewall. | All controlled from the hub (or FortiManager). |
The ADVPN “shortcut” magic works only when both hub and spokes are FortiGate. If your spokes are Cisco (DMVPN, FlexVPN, standard IKE v2), they can still build ordinary route-based tunnels to the FortiGate hub, but they will always hair-pin through the hub; no on-demand spoke-to-spoke tunnels will form.
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
CCIE #68781
User | Count |
---|---|
2546 | |
1354 | |
795 | |
643 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.