I did a previous post here but this has raised further questions regarding setting up a new office or acquisition.
What we currently do:
Historically, I organise delivery of a Fortigate, Server (Domain Controller), switch, Unifi AP etc. Then, the weekend of the migration date, me and my team go over there and setup Fortigate (Mesh site to site VPNs, UTM, access rules etc). Promote server to DC (DHCP, DNS, WSUS, Print, MDT etc), Configure switch VLANS and setup Unifi AP. This is always a major rush and inevitably involves late night/s and troubleshooting issues and allot of pressure
What I want to do:
What I want to do to eliminate this and get all the kit sent to my house (I WFH) and get the Fortigate connected on 4G and do the complete config ahead of time. Then all I have to do on migration weekend is physically rack the equipment with zero changes to the Fortigate config.
(Since the original post I have purchased a 60E and a FortiExtender 201E with a Static IP SIM)
A couple of additional points:
These new offices will have 1 internet connection/leased line so I don’t need load balancing.
The Fortiextender whilst used to preconfigure the device, will be kept in the configuration and sent out to the office in the event in the future they have a major outage with their main (wan1) internet connection. So i want all rules and routing to reference both wan1 - primary (but not in use until physically in place) and fortiextender - secondary [/ol]
Note: I am using firmware 6.2.2 or 6.2.4
Option 1: SD WAN Only – All WAN and VPN interfaces into SD WAN
SD WAN Interfaces:
WAN1 (ISP to be physically connected upon deployment)
I have tested this and was partially working but may have been experiencing weird routing issues. Reading more online it looks like SD can work with your internet connection OR site/site VPNs but not both. Is this true?
Option 2: SD WAN for site/site VPNs only. Redundant WANs with routes and config system link-monitor
x2 static routes for primary and secondary (fortiextender) that are weighted
Put WAN1 and Fortiextender into Zone and reference this in policies
Static routes for each remote site vpn pointing to SD WAN[/ul]
Option 3: Redundant WAN and VPN routes using config system link-monitor - NO SD WAN
This option just uses weighted routes, config system link-monitor and zones for simplifying IPv4 policies.
Option 1 simplifies things greatly but I am unsure whether this is technically possible or supported?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.