Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SD-WAN Design



I am working on SD-WAN  solution .I have primary Data center(Hub). Have 13 Spoke connected to Hub (Data center ).Currently SD-WAN Solution with primary MPLS and secondary Broadband used.


Planning for DR.If DC Fails Spoke to connect DR.My DR will also be DC for some applications where remote user will connect through VPN.

In DR location only Broadband available.How to size bandwidth.

Anyone Guide me with Design and Solution with  diagram


As I understand you want to configure SD WAN on FortiGate firewall to provide redundancy:

Please refer to the below article to configure SDWAN:


You can configure SDWAN rule to use Best quality link:











I would recommend, you analyze your DC bandwidth usages for both the links over a period of time and based on that information you may identify an optimal bandwidth for your DR link if you are planning to shift your entire traffic from 13 spokes to connect to DR at the time of failover or else if you are only planning critical services in DR during failover, then your bandwidth requirement will reduce accordingly. You need to keep in mind about the remote VPN users connecting to DR and allocate some bandwidth for them as well. 


Bandwidth can be monitored from the FortiGate Dashboard interface widget and also using your SNMP monitoring tool if any.


For the design part here are few pointers, you can have IPsec overlay configured for DC and DR as part of SDWAN and use dynamic routing protocol like BGP/OPSF over IPsec tunnel to advertise route from DC and DR with different metrics for preference and use SDWAN rules steer traffic to different tunnels based on your requirement. SDWAN rules have precedence over your Routing table and hence it will be easy to control your traffic flow with SDWAN rules. 


I would still recommend you take help from your Local Fortinet team for the proper design solution.


Best Regards




Thanks a Lot for Reply. If DC Fails DR will become active. There are users and Vendors who want to access application in DR.Since DC Fail only DR Firewall activated,How users and vendors access DR Firewall through VPN. What will be the solution.




Users and Vendors accessing the VPN on DR will connect to DR Public IP address. If your Public IP address changes frequently for your DR broadband connection, you can make use of Dynamic DNS in FortiGate for SSL VPN, if the IP doesn't change then use the IP address or a registered FQDN to connect to.


For the DR to act as a HUB for all 13 branches you need to make use of Dynamic DNS for the IPSec VPN Gateway if your Public IP of the DR changes frequently. If not, you can use type "static" for the DR HUB configuration.



For the Failover, make use of Dynamic Routing Protocol with different metrics for exchanging routes from DC and DR to the spokes, where DR routes has least preference compared to DC and in the event of DC failure, DR route become active (Ex: using different Local Preference value for DC and DR when receiving and inserting route to Route Table) and SDWAN Rules. 


If you plan to use OSPF instead of BGP, you may use different Cost value in DC and DR when exchange route with Spokes. Lower the cost is the preferred route in OSPF.


Hope this helps.








Thanks for your Reply.

Top Kudoed Authors