- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SD-WAN Design
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN Design
Hi,
I am working on SD-WAN solution .I have primary Data center(Hub). Have 13 Spoke connected to Hub (Data center ).Currently SD-WAN Solution with primary MPLS and secondary Broadband used.
Planning for DR.If DC Fails Spoke to connect DR.My DR will also be DC for some applications where remote user will connect through VPN.
In DR location only Broadband available.How to size bandwidth.
Anyone Guide me with Design and Solution with diagram
Labels:
- Labels:
-
FortiGate v5.4
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As I understand you want to configure SD WAN on FortiGate firewall to provide redundancy:
Please refer to the below article to configure SDWAN:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/218559/creating-the-sd-wan-interface
You can configure SDWAN rule to use Best quality link:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/22371/sd-wan-rules-best-quality
Regards,
Abhimanyu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would recommend, you analyze your DC bandwidth usages for both the links over a period of time and based on that information you may identify an optimal bandwidth for your DR link if you are planning to shift your entire traffic from 13 spokes to connect to DR at the time of failover or else if you are only planning critical services in DR during failover, then your bandwidth requirement will reduce accordingly. You need to keep in mind about the remote VPN users connecting to DR and allocate some bandwidth for them as well.
Bandwidth can be monitored from the FortiGate Dashboard interface widget and also using your SNMP monitoring tool if any.
For the design part here are few pointers, you can have IPsec overlay configured for DC and DR as part of SDWAN and use dynamic routing protocol like BGP/OPSF over IPsec tunnel to advertise route from DC and DR with different metrics for preference and use SDWAN rules steer traffic to different tunnels based on your requirement. SDWAN rules have precedence over your Routing table and hence it will be easy to control your traffic flow with SDWAN rules.
I would still recommend you take help from your Local Fortinet team for the proper design solution.
Best Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks a Lot for Reply. If DC Fails DR will become active. There are users and Vendors who want to access application in DR.Since DC Fail only DR Firewall activated,How users and vendors access DR Firewall through VPN. What will be the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Users and Vendors accessing the VPN on DR will connect to DR Public IP address. If your Public IP address changes frequently for your DR broadband connection, you can make use of Dynamic DNS in FortiGate for SSL VPN, if the IP doesn't change then use the IP address or a registered FQDN to connect to.
https://community.fortinet.com/t5/user/viewprofilepage/user-id/38305
For the DR to act as a HUB for all 13 branches you need to make use of Dynamic DNS for the IPSec VPN Gateway if your Public IP of the DR changes frequently. If not, you can use type "static" for the DR HUB configuration.
Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-with-DDNS-type-IPsec/ta-p/190773
For the Failover, make use of Dynamic Routing Protocol with different metrics for exchanging routes from DC and DR to the spokes, where DR routes has least preference compared to DC and in the event of DC failure, DR route become active (Ex: using different Local Preference value for DC and DR when receiving and inserting route to Route Table) and SDWAN Rules.
If you plan to use OSPF instead of BGP, you may use different Cost value in DC and DR when exchange route with Spokes. Lower the cost is the preferred route in OSPF.
Hope this helps.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your Reply.
Related Posts
- Help Im in Fortiswitch hell. ... 99 Views
- SDWAN design question 115 Views
- Basic ZTNA Design / Functionality Questions... 130 Views
- SD-WAN End to End Deployment/Design Guide 225 Views
- Understanding the application control 367 Views
Labels
-
FortiGate
6,706 -
FortiClient
1,334 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
341 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
81 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
60 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Proxy policy
4 -
Packet capture
4 -
FortiAP profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
Antivirus profile
3 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.