Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
crtolbert
New Contributor

Created on ‎08-03-2023 06:28 AM

Setting Production Fortigates to Use SD-WAN

I have an active-passive HA pair of FG100Fs running 6.4.6 with a 125x125 fiber internet connection currently in production. I just purchased a 100Mbps cable internet connection and would like to configure the FGs to use SD-WAN and load balance over the two WAN connections and of course failover to one if one circuit goes down.

 

I also have two S2S VPNs  and a remote access VPN that I want to be able to remain up if one of the internet connections goes down.

 

My thought process is that I can schedule a downtime and:

1. Remove the WAN interfaces from the IP v4 Policy rules I already have

2. Create the SD-WAN interface and add the two WAN interfaces as members

3. Modify my default static route and other static routes to point to the SD-WAN interface

4. Add the SD-WAN interface to my IP v4 Policy rules.

 

After this, I'm not really sure how to go about making the VPNs use the SD-WAN interface without completely recreating them, which one will be a pain because it is with a third party vendor and they use a vASA.

 

So I guess I have two questions:

1. Am I thinking about the process of migrating from WAN to SD-WAN correctly?

2.Are there any less painful options to getting the VPNs tied to the SD-WAN interface rather than the WAN interface?

 

Thank you in advance.

Labels:
1084
0 Kudos
6 REPLIES 6
ede_pfau
SuperUser
SuperUser

Created on ‎08-03-2023 09:47 AM

You can reconfigure the interface in phase1-interface anytime.

Before you can add the old WAN interfaces into the SD-WAN zone, you need to remove all references. That includes static routes (which you mention on restoring, but not prior to moving the WAN interfaces).


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1063
pgautam
Staff
Staff

Created on ‎08-03-2023 09:50 AM

Hi @crtolbert 

 

For the WAN interface migrating your plan of action is correct for the 6.4.7 fortiOS.

 

From 7.0.0 FortiOS onwards there is a new feature added for the interface migration.

Please find more detail regarding this below link:-

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/885870/interface-migration-wizard

 

I have checked in the lab for the tunnel interface to move it to the overlay SDWAN zone policy and the route reference need to remove, without deleting the complete tunnel configuration.

 

Please find the below link for the configuration of overlay SDWAN network:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

 

Regards

Priyanka

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

 

 

1061
crtolbert
New Contributor
In response to pgautam

Created on ‎08-04-2023 08:35 AM Edited on ‎08-04-2023 08:45 AM

Priyanka,

 

It seems then the best path forward would be to upgrade my HA cluster to at least 7.0.12 and then utilize the Interface Migration Wizard to add the interfaces to an SD-WAN zone. This would keep me from having to manually remove all references of the WAN interfaces and then go back and add the SD-WAN interface to my routes, rules, and VPNs. Is this correct?

1030
0 Kudos
pgautam
Staff
Staff
In response to crtolbert

Created on ‎08-04-2023 11:27 AM

Hi @crtolbert 

 

In 7.0.12 FortiOS integrate interface option will be able to integrate the physical interface.

integrate interface.PNG

1st.PNG

2nd.PNG

As shown in the screenshot you will be able to the applicable changes when you will integrate the interface.

3rd.PNG

For the VPN we do not have the option in 7.0.12 to integrate the interface directly. Rather than this in SDWAN itself, the overlay zone VPN can be recreatedIPSEC tunnel overlay.PNG.

Regards

Priyanka 

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1012
0 Kudos
rvijayaraj
Staff
Staff

Created on ‎08-03-2023 10:56 AM

Hi ,

One of the prerequisite for adding the interfaces on to the SDWAN is there shoudn't be any references. 

Delete the references what you have for the vpn like firewall policies, routes, address objects etc

Post removing the references you will be able to add them as a sdwan member. 

 

Regards,

Roshan

1053
chauhans
Staff
Staff

Created on ‎08-04-2023 03:38 PM

Hello @crtolbert 


Please be informed that deleting references means deleting configuration related to it. If you are planning to delete the reference, then I would highly recommend you to take the backup first. Also, please delete the references in your downtime and not during your production hours.
Post deleting references from the interface which you want to configure as a sdwan member, you can add that interface in sdwan member.

Let us know if any further queries or concerns please.


Thanks
Shaleni

1001
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.