I have some questions about some changes we are about to make on our FortiGate 501E stack.
We are connecting 2 WAN (WAN1 and WAN2) connections to our Fortigate 501E. Both interfaces have their own public IP. Outbound/inbound connectivity should failover if 1 link fails. We prefer to use WAN1 if available.
We also use BGP to announce a set of IP's. I will have 2 BGP neighbors. WAN1 and WAN2 both have their own neighbor.
Some questions about this:
* For the dual WAN, is the best option to use SDWAN?
* If I create the SDWAN and add the 2 interfaces to it (WAN1 cost 0, WAN2 cost 10), do I still need to create an SLA policy?
* A VIP IP can't be assigned to the SDWAN interface. If the VIP is bound to WAN1, will it still work when WAN1 is down?
* Same for VPN tunnel. It can't be bound to SDWAN, only to an SDWAN member (WAN1)
* How do I force that all BGP announced traffic comes via WAN1? So I want that the shortest route is announced via WAN1. Can I do a path extension or something on WAN2 neighbor?
Did you ever get this accomplished? I missed this post but I do have some experience with this due to our own environment.
I would guess that SD-WAN is not the best option for you since it sounds like you have your own address space. It would probably not do what you would be expecting it to do since your inbound traffic would choose ISP based on BGP routes.
I have highly asymmetrical connections to two different ISPs using BGP with prepends and it works great. No need to buy an extra router when the FortiGate can handle it. I agree about not using SDWAN in this scenario.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.