Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

SD-WAN and multi-WAN links design

Hi, guys,

I am new to Fortinet products.

We have two sites, I just installed Fortigate 400e HA pair at each site, and multi WAN links at each site, like SiteA has two internet lines for web surfing and then two IPLC lines connect to SiteB ( also has two internet lines )

 

I would like to get recommendation from your experts, how to design/configure the 400e HA pair at each site:

1. Internet lines for web surfing at each site

2. IPLC lines for two site communication ( with private IP subnets) 

 

 

 

Many thx in advance.

 

 

1 Solution
PerthNSE
New Contributor II

Hi,

I'm not too sure what exactly you are after here - so I'll take a stab at connectivity.

I'm going to assume you have a pair of core Fortiswitches running in MCLAG for this.

 

The key with HA is to ensure that you maintain connectivity in the event of an HA primary change over, so the incoming links need to go through VLANs on the core switches before connecting to the HA pair. The links from the switches can be physical cables to the WAN ports on the Fortigates, but I usually use VLANs on the FortiLink interface.

 

Then you should add the interfaces to SDWAN and setup PLA and SDWAN Rules to handle traffic.

 

For a dual WAN setup I would normally connect it up similar to this diagram (just add more for IPLC links) - 

 

 

 

If you haven't seen it, this cookbook article is a good starting point fo HA setup - https://cookbook.fortinet.com/high-availability-two-fortigates/index.html

View solution in original post

2 REPLIES 2
PerthNSE
New Contributor II

Hi,

I'm not too sure what exactly you are after here - so I'll take a stab at connectivity.

I'm going to assume you have a pair of core Fortiswitches running in MCLAG for this.

 

The key with HA is to ensure that you maintain connectivity in the event of an HA primary change over, so the incoming links need to go through VLANs on the core switches before connecting to the HA pair. The links from the switches can be physical cables to the WAN ports on the Fortigates, but I usually use VLANs on the FortiLink interface.

 

Then you should add the interfaces to SDWAN and setup PLA and SDWAN Rules to handle traffic.

 

For a dual WAN setup I would normally connect it up similar to this diagram (just add more for IPLC links) - 

 

 

 

If you haven't seen it, this cookbook article is a good starting point fo HA setup - https://cookbook.fortinet.com/high-availability-two-fortigates/index.html

BensonLEI

Hi, PerthNSE,

 

May thanks for your reply and information, I set up the HA structure and SD-WAN zones for the internet and IPLC lines, at the attached.

 

But strangely, I can not configure static route to individual SD-WAN zone separately, only this object "SD-WAN"

 

=====

config system sdwan   set status enable      config zone        edit "virtual-wan-link"      next        edit "Access_to_Internet"      next        edit "LL_link-to-16HK"     next   end   config members

.....

.....

config router static     edit 1       set distance 1       set sdwan enable   next   edit 2      set dst 10.16.7.0 255.255.255.0      set gateway 10.10.32.22      set device "port7" next

===========

 

 

Änything I need to modify the "config router static", please advice

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors