I have an active-passive HA pair of FG100Fs running 6.4.6 with a 125x125 fiber internet connection currently in production. I just purchased a 100Mbps cable internet connection and would like to configure the FGs to use SD-WAN and load balance over the two WAN connections and of course failover to one if one circuit goes down.
I also have two S2S VPNs and a remote access VPN that I want to be able to remain up if one of the internet connections goes down.
My thought process is that I can schedule a downtime and:
1. Remove the WAN interfaces from the IP v4 Policy rules I already have
2. Create the SD-WAN interface and add the two WAN interfaces as members
3. Modify my default static route and other static routes to point to the SD-WAN interface
4. Add the SD-WAN interface to my IP v4 Policy rules.
After this, I'm not really sure how to go about making the VPNs use the SD-WAN interface without completely recreating them, which one will be a pain because it is with a third party vendor and they use a vASA.
So I guess I have two questions:
1. Am I thinking about the process of migrating from WAN to SD-WAN correctly?
2.Are there any less painful options to getting the VPNs tied to the SD-WAN interface rather than the WAN interface?
You can reconfigure the interface in phase1-interface anytime.
Before you can add the old WAN interfaces into the SD-WAN zone, you need to remove all references. That includes static routes (which you mention on restoring, but not prior to moving the WAN interfaces).
It seems then the best path forward would be to upgrade my HA cluster to at least 7.0.12 and then utilize the Interface Migration Wizard to add the interfaces to an SD-WAN zone. This would keep me from having to manually remove all references of the WAN interfaces and then go back and add the SD-WAN interface to my routes, rules, and VPNs. Is this correct?
Please be informed that deleting references means deleting configuration related to it. If you are planning to delete the reference, then I would highly recommend you to take the backup first. Also, please delete the references in your downtime and not during your production hours. Post deleting references from the interface which you want to configure as a sdwan member, you can add that interface in sdwan member.
Let us know if any further queries or concerns please.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.