I have an active-passive HA pair of FG100Fs running 6.4.6 with a 125x125 fiber internet connection currently in production. I just purchased a 100Mbps cable internet connection and would like to configure the FGs to use SD-WAN and load balance over the two WAN connections and of course failover to one if one circuit goes down.
I also have two S2S VPNs and a remote access VPN that I want to be able to remain up if one of the internet connections goes down.
My thought process is that I can schedule a downtime and:
1. Remove the WAN interfaces from the IP v4 Policy rules I already have
2. Create the SD-WAN interface and add the two WAN interfaces as members
3. Modify my default static route and other static routes to point to the SD-WAN interface
4. Add the SD-WAN interface to my IP v4 Policy rules.
After this, I'm not really sure how to go about making the VPNs use the SD-WAN interface without completely recreating them, which one will be a pain because it is with a third party vendor and they use a vASA.
So I guess I have two questions:
1. Am I thinking about the process of migrating from WAN to SD-WAN correctly?
2.Are there any less painful options to getting the VPNs tied to the SD-WAN interface rather than the WAN interface?
Thank you in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can reconfigure the interface in phase1-interface anytime.
Before you can add the old WAN interfaces into the SD-WAN zone, you need to remove all references. That includes static routes (which you mention on restoring, but not prior to moving the WAN interfaces).
Hi @crtolbert
For the WAN interface migrating your plan of action is correct for the 6.4.7 fortiOS.
From 7.0.0 FortiOS onwards there is a new feature added for the interface migration.
Please find more detail regarding this below link:-
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/885870/interface-migration-wizard
I have checked in the lab for the tunnel interface to move it to the overlay SDWAN zone policy and the route reference need to remove, without deleting the complete tunnel configuration.
Please find the below link for the configuration of overlay SDWAN network:-
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Created on 08-04-2023 08:35 AM Edited on 08-04-2023 08:45 AM
Priyanka,
It seems then the best path forward would be to upgrade my HA cluster to at least 7.0.12 and then utilize the Interface Migration Wizard to add the interfaces to an SD-WAN zone. This would keep me from having to manually remove all references of the WAN interfaces and then go back and add the SD-WAN interface to my routes, rules, and VPNs. Is this correct?
Hi @crtolbert
In 7.0.12 FortiOS integrate interface option will be able to integrate the physical interface.
As shown in the screenshot you will be able to the applicable changes when you will integrate the interface.
For the VPN we do not have the option in 7.0.12 to integrate the interface directly. Rather than this in SDWAN itself, the overlay zone VPN can be recreated.
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi ,
One of the prerequisite for adding the interfaces on to the SDWAN is there shoudn't be any references.
Delete the references what you have for the vpn like firewall policies, routes, address objects etc
Post removing the references you will be able to add them as a sdwan member.
Regards,
Roshan
Hello @crtolbert
Please be informed that deleting references means deleting configuration related to it. If you are planning to delete the reference, then I would highly recommend you to take the backup first. Also, please delete the references in your downtime and not during your production hours.
Post deleting references from the interface which you want to configure as a sdwan member, you can add that interface in sdwan member.
Let us know if any further queries or concerns please.
Thanks
Shaleni
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.