Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
17g
New Contributor

Internet and VPN Redundancy

Hi

 

I did a previous post here but this has raised further questions regarding setting up a new office or acquisition.

 

What we currently do: Historically, I organise delivery of a Fortigate, Server (Domain Controller), switch, Unifi AP etc. Then, the weekend of the migration date, me and my team go over there and setup Fortigate (Mesh site to site VPNs, UTM, access rules etc). Promote server to DC (DHCP, DNS, WSUS, Print, MDT etc), Configure switch VLANS and setup Unifi AP. This is always a major rush and inevitably involves late night/s and troubleshooting issues and allot of pressure   What I want to do: What I want to do to eliminate this and get all the kit sent to my house (I WFH) and get the Fortigate connected on 4G and do the complete config ahead of time. Then all I have to do on migration weekend is physically rack the equipment with zero  changes to the Fortigate config.

 

(Since the original post I have purchased a 60E and a FortiExtender 201E with a Static IP SIM)

 

A couple of additional points:

[ol]
  • These new offices will have 1 internet connection/leased line so I don’t need load balancing.
  • The Fortiextender whilst used to preconfigure the device, will be kept in the configuration and sent out to the office in the event in the future they have a major outage with their main (wan1) internet connection. So i want all rules and routing to reference both wan1 - primary (but not in use until physically in place) and fortiextender - secondary [/ol]

     

    Note: I am using firmware 6.2.2 or 6.2.4

     

    Option 1: SD WAN Only – All WAN and VPN interfaces into SD WAN

    SD WAN Interfaces:

    [ul]
  • WAN1 (ISP to be physically connected upon deployment)
  • FortiExtender – higher cost
  • Site2VPN-Primary (using WAN1 interface)
  • Site2VPN-Secondary (using FortiExtender interface) – higher cost
  • Site3VPN-Primary (using WAN1 interface)
  • Site3VPN-Secondary (using FortiExtender interface) – higher cost
  • Etc[/ul]

    1 static route pointing to SD WAN

    All ipV4 policies use SD WAN interface

    I have tested this and was partially working but may have been experiencing weird routing issues. Reading more online it looks like SD can work with your internet connection OR site/site VPNs but not both. Is this true?

     

    Option 2: SD WAN for site/site VPNs only. Redundant WANs with routes and config system link-monitor

    [ul]
  • x2 static routes for primary and secondary (fortiextender) that are weighted
  • Put WAN1 and Fortiextender into Zone and reference this in policies
  • Static routes for each remote site vpn pointing to SD WAN[/ul]

     

    Option 3: Redundant WAN and VPN routes using config system link-monitor - NO SD WAN

    This option just uses weighted routes, config system link-monitor and zones for simplifying IPv4 policies.

     

    Option 1 simplifies things greatly but I am unsure whether this is technically possible or supported?

     

    Any thoughts on this would be greatly appreciated

     

    TF

     

  • 0 REPLIES 0