Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Transferring MPLS Interface from old FW to FG

Hi Guys, 


i am here for some technical help. 


Iam an Administrator of a Campus-Site (3 at all) , connected via Vodafone Internet and Versatel MPLS . 

The Internet-Connection is connected through our FortiGate 500E. Our MPLS runs on an old UTM 9 Sophos VM-Firewall. 


We can use the MPLS Line for Fallback Internet Access and to route our traffic to the other Campus Sites. 


Here are some Data: 


MPLS Intf. IP: - GW:

Route MPLS: - GW: (Cost:5)

Route MPLS: - GW: (Cost:5)

Route MPLS: - GW: (Cost 5)

Route MPLS: - GW: (Cost: 5) 

Route MPLS: 10.8.x.x/16 - GW: (Cost: 5)

Route MPLS: 10.14.x.x/16 - GW: (Cost: 5) 

Internet MPLS: - GW: (Cost: 20)


In Sophos are currently 2 Productive VLANs for Server-Traffic left.


I got an Routing-VLAN between the Sophos and FortiGate ( Soph. FTG)


The FortiGate got an Internet Connection through Vodafone and i configured as SD-WAN: 


1st Member: Vodafone ISP: Cost 1

2nd Member (deact) : MPLS: Cost 10


The Cost of SD-WAN Interface is 1


We got an Test-Connection through S2S-VPN to another Campus using same FortiGate outside MPLS. 


Route S2S-VPN: 10.24.x.x/16 - GW: Cost 10


And we got the routes to our internal -Server VLANs in Sophos with currently 20 Cost.



i want to migrate the MPLS Line to the FortiGate. 


Please help me, that i do the right steps: 


i create routes to the MPLS Networks and internal Networks in Sophos targeting FTG-GW


i create a new interface in Networks for MPLS Interface (, GW:


then i create the Routes for the MPLS and Internal Networks, similar to the Routes in Sophos. 


Now i have to create a Firewall-Rule Source Interface the Sophos and the Productive VLANs in sophos, and Target to MPLS, and the other internal Networks, and Backwards.


In Sophos i have to create the Same Firewall-Rule, to get all traffic good between the two firewalls. 



2 Questions: Do i have to assign a explicit SD-WAN Rule, to Route the Traffic to the other campusses, and not to Internet?

Do i have to change the costs for SD-WAN-Members to 20 (i think this i only for Load-Balancing, right?) 



In the Past i made the Migration on my own with an downtime, but, i get different effects, because i have to rollback my actions. 


If you need further Information, let me know, i think i can give it to you. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors