Hi!
I have to implement redundant wan link and as per reading I think SD WAN is mostly towards load balancing. I have seen couple of videos of link monitoring and setting up redundant wan link. I also saw a video or read some where to create Zone instead of creating dual policies. Not sure if I recall well but it will be problem creating dual policies for WAN1 and WAN2.
Also my plan is to have redundancy for IPSEC and SSL VPN.
Can anyone guide me how to implement Reduandant link with best practices that includes less firewall rule like not creating two rule i.e. one for wan 1 and one for wan2.
How can I implement IPsec and SSL Vpn using reduandant link.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi ,
SD Wan is the best option for Redundant WAN Connection .You need one rule and one route as well .After adding WAN1 and WAn2 to SD wan ..you can select best loadbalancing methods .
Then in the policies only one policy eg : LAN to SDWAN policy need to create ..
Also in the route one default route need for all the SDWAN members .
Before adding the members to SDWAN u should remove all the interface dependencies ...
SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings ..
IPSEC-You should create 2 tunnel ..one under WAN1 and One under WAn2 for same destination ..
I gave very brief idea on each section .There are many few configuration need to perform to achieve this .Let us know if you need more info on each section .
Regds,
Ashik
Thanks Ashik.
SD WAN is for load balancing and in our case we just want to use one line until it goes down. I can think of it having setup to use both the link and maximize the traffic on our primary link.
SSL VPN -You should select both WAN1 and WAN2 inetrface in the SSL settings:
How will this make decesion if the traffic goes via WAN1 or WAN2?
I am reading the docs and checking video link but if you have some doc links please share.
Hi,
SDWAN by default will give you redundancy .You can also set link load balancing where you can select weight LB .If you need primary link to take full load then give 90% weightage to WAN1 and 10% to WAN2 or you can use Spillover as well .
SSL VPN can be accessed by both the links simultaneously .Better to FQDN for VPN in your public DNS and assign 2 A record WAN1 and WAn2 IP.
Regds,
Ashik
Hi, Ashu
May I ask a question about SSLVPN be used in SD-WAN environment. my Fortigate 100E's firmware is 6.x , and I configured two ISP's internet cables to WAN1 and WAN2. The SD-WAN is configured ok and work well. After an SSL VPN configuration completed and launched Forti-client to connect this Fortigate 100E unit. SSLVPN connect is ok but will disconnect after several minutes. I check two internet connection . One of them is down as well, but it will up after 4 -5 seconds, and then the Forti-client appears an alarm message about the SSL VPN connection is down. I can reconnect the SSL VPN from Forti-client. But the same disconnect issue will be repeat again. Google someone solved it by adding instructions as below,
config vpn ssl settings set route-source-interface enable end
but I can't find out the "route-source-interface" parameter in the set command. any suggestion about this issue?
Regds
Arthur68tw
@Arthur68tw
In 6.x firmware you should use this command:
config system interface
edit <port..>
set preserve-session-route enable
end
Hi, rdumitrescu
Thanks for your reply. It solved my problem. now a new firmware version 6.0.4 is released. Should I upgrade it since I searched this problem yesterday in the forum and found someone can't solve this problem by adding these instructions at version 6.0.3
P.S. my version is 6.0.2
Regards
Arthur68tw
Were did you read that in 6.0.3 the command is not working? Can you post a link to the thread?
It should work unless there is a software bug that I am not aware of.
Hi, rdumitrescu
this is the URL I google "https://forum.fortinet.com/tm.aspx?m=153209". someone mentions 6.0.3 didn't fix this issue at the last post.
Regards
Hi, I have a similar isssue, I have a External VDOM with two PPPoE interfaces over SDWAN, I try to use a to SSLVPN over one PPPoE but not working, I not see the sslvpn portal from internet, I review the logs and see that this traffic is deny for local-in-policy, ¿any idea? My version is 6.0.4.
Thanks
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.