I'm new to Fortigate and we are currently migrating from Cisco ASA to Fortigate FG201 (v7.0.5).
From our existing setup, we have 2 different WAN links (2 diff ISPs).
ISP 1 is used as primary gateway for internet and ISP 2 is for VPN connection (IPsec/SSL VPN). ISP2 also serves as a backup link for internet traffic (manual failover). We are also using Zscaler Proxy, so we have a FW policy that direct all internet traffic to Zscaler.
My question is how can we achieve the similar setup with our new Fortigate FW? or what is the best way to achieve this?
I've been doing some reading on Fortigate but I'm still not sure what is the best way or option to do this.
I read from this KB that it can be done using the legacy method but not sure if we should use option 1 or 3 for this.
or via the SDWAN features.
Can't figure out which is best suited for our requirement.
Another thing is the NAT requirements. Is it better to use the Central NAT or do it on the per policy basis?
One scenario is for our internal network, example 192.168.1.0/24 (user VLAN). For internet traffic its primary gateway will be isp1 and only goes to ISP2 if ISP1 link fails. How is the NAT going to be for this? Do I need to create 2 separate NAT entry in Central NAT to NAT 192.168.1.0/24 to each of the outgoing interfaces of the 2 ISP? or just create 2 FW policies such as below:
Internal --> ISP1
192.168.1.0/24 --> Any and NAT to outgoing interface (ISP1)
Internal --> ISP2
192.168.1.0/24 --> Any and NAT to outgoing interface (ISP2)
Or is it better to create a Zone to group the 2 WAN ports and create the policy based on that?
How about those with 1 to 1 static NAT? We only have 1 public IP range/pool available which is from ISP2. Will it still work if the traffic is going out to ISP1? Coz i read from this article https://www.fortinetguru.com/2017/11/ip-pools/ that says there is a limitation when using IP pools such as if the IP address(es) within the pool are different from the IP address(es) that are assigned to the interface communications based on those IP addresses will fail.
Appreciate your input and thank you in advance. :)