Greetings. Here is my situation, and I would like some suggestions.
We have 2 branch offices.
Branch office 1 has a FortiGate 100F, and 2 internet connections, different ISP's (WAN1 and WAN2 respectively). Branch office 2 also has a FortiGate 100F, but only ONE internet connection (WAN1).
I would like to accomplish the following:
1. Branch 1 failover internet connection - when WAN1 goes down, traffic is pushed over to WAN2. When WAN1 is restored, traffic jumps back over to WAN1. Essentially make WAN2 a backup connection...only activated if WAN1 fails.
2. Site-to-site VPN connection between the 2 sites, but with redundancy. So, if 1 of the 2 internet connections goes down at branch office 1, the site-to-site VPN will not be disrupted.
What is the best way to accomplish this? SD-WAN..priorities....CLI magic?
I greatly appreciate your response. Do I need to be on a certain version of FortiOS to see those options? I am on 6.0.9. Have been a little weary about upgrading to 6.2.x series as I heard it's been plagued with issues.
So, when I go to enable the SD-WAN interface and add members, I should add WAN1, WAN2, and then both VPN tunnels all at the same time? So...4 members total?....I apologize for my ignorance and greatly appreciate your continued assistance.
I would say this is achievable even without SD-WAN. You can use a routing protocol to manipulate the traffic. You will have to create the below IPSEC tunnels,
FG01_WAN01 <-> FG02_WAN01
FG01_WAN02 <-> FG02_WAN01
Use a dynamic protocol like BGP over the IPSEC tunnels. Then you can manipulate BGP routes using attributes such as local preferences or AS-PATH prepending.
You can also use SD-WAN. In which case in Branch office one you will have 2 IPSEC interfaces members in the SD-WAN interface. You can create SD-WAN policies to prefer one tunnel over the other. In this case, you could either you a dynamic routing protocol or static routes.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.