Hello Galal2010,

To configure a site-to-site VPN between FGT60 Site 1 and FGT30 Site 2, you need to follow these steps:

1. Create a VPN tunnel on both firewalls, with the following settings:

- Tunnel interface name

- Local gateway IP address

- Peer gateway IP address

- Authentication method

- Pre-shared key

2. Configure the necessary firewall policies to allow traffic to pass through the VPN tunnel.

3. If you have multiple WAN interfaces on FGT60 Site 1, you can choose to use the one with DDNS or a static IP address for the VPN tunnel. You don't need to remove it from the SD-WAN zone, as long as the firewall policy for the VPN tunnel allows traffic to pass through the correct interface.

Here's an example of the configuration for FGT60 Site 1:

- Create a new VPN tunnel interface with a name such as "VPN to Site 2"

- Set the local gateway IP address to the public IP address of the WAN interface you want to use for the VPN tunnel

- Set the peer gateway IP address to the static IP address of FGT30 Site 2

- Choose an authentication method and set a pre-shared key

- Create a new firewall policy that allows traffic from the local network to the remote network, and vice versa. Set the source and destination interfaces to the VPN tunnel interface.

Here's an example of the configuration for FGT30 Site 2:

- Create a new VPN tunnel interface with a name such as "VPN to Site 1"

- Set the local gateway IP address to the static IP address of the WAN interface

- Set the peer gateway IP address to the public IP address of FGT60 Site 1

- Choose the same authentication method and pre-shared key as on FGT60 Site 1

- Create a new firewall policy that allows traffic from the local network to the remote network, and vice versa. Set the source and destination interfaces to the VPN tunnel interface.

I hope this helps! Let me know if you have any further questions.