SD-WAN and VRRP for default gateway redundancy - question
100F on 7.0.12
I am curious if I can use SD-WAN capabilities to achieve an active/passive internet setup. I will have two upstream routers running VRRP, providing default gateway redundancy for the connected Fortigate. In the FortiGate docs, most examples use two different upstream ISP's. In my case, WAN1 will connect to Router1 and WAN2 would connect to Router2. I would only want WAN2 to be used if the connection to WAN1 became unavailable.
Unfortunately I don't have the ability to do this in a lab and I need some "proof" before ordering the upstream routers. Any help would be appreciated!
If your upstream routers are terminating multiple circuits but the IP interface to the FGT is VRRPed (means only one default gateway IP for the FGT), for the FGT it's just one upstream link. You can't connect two interfaces like WAN1 and WAN2 to it. On the other hand, if they're NOT VRRPed and both are directly coming to the FGT, you can terminate one at WAN1 and the another at WAN2, then set up SD-WAN to do whatever the redundancy you want.
Correct, my plan was for the FG to have a single gateway IP - the IP that will be VRRP'ed by my upstream routers. If I can't use SD-WAN to get this working, how else could I? Seems it cannot be an uncommon scenario to want the FG connected to dual upstream routers for redundancy purposes in this manner.
Have you considered use of route monitoring? Configure static route with higher priority towards WAN1 router and enable route monioring. If this route fails the device removes this route and makes the WAN2 route active.
"my plan was for the FG to have a single gateway IP"
IMHO it goes against multilink SDWAN concept, as with the SDWAN, you have several different ISP uplinks that are being logically grouped in order to perform the traffic routing/balancing across the SDWAN members.
On top of it, vrrp inetrfaces of the vrrp cluster members have to be able to communicate between each other. By connecting WAN1 Router1 and WAN2 to Router2 , vrrp cluster members will not be able to communicate between each other.
The classical design for that case would be a network switch, that will provide L2 connection between Fortigate and vrrp enabled interface of the vrrp cluster.
Fortigate will have a default route towards to the virtual vrrp address. And vrrp will take care of the routing on the routers.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.