Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CampusIT
New Contributor

Transferring MPLS Interface from old FW to FG

Hi Guys, 

 

i am here for some technical help. 

 

Iam an Administrator of a Campus-Site (3 at all) , connected via Vodafone Internet and Versatel MPLS . 

The Internet-Connection is connected through our FortiGate 500E. Our MPLS runs on an old UTM 9 Sophos VM-Firewall. 

 

We can use the MPLS Line for Fallback Internet Access and to route our traffic to the other Campus Sites. 

 

Here are some Data: 

 

MPLS Intf. IP: 172.16.1.1/24 - GW: 172.16.1.254

Route MPLS: 172.16.2.0/24 - GW: 172.16.1.254 (Cost:5)

Route MPLS: 172.16.5.0/24 - GW: 172.16.1.254 (Cost:5)

Route MPLS: 172.16.100.0/24 - GW: 172.16.1.254 (Cost 5)

Route MPLS: 172.16.1.0/24 - GW: 172.16.1.254 (Cost: 5) 

Route MPLS: 10.8.x.x/16 - GW: 172.16.1.254 (Cost: 5)

Route MPLS: 10.14.x.x/16 - GW: 172.16.1.254 (Cost: 5) 

Internet MPLS: 172.16.1.1 - GW: 172.16.1.254 (Cost: 20)

 

In Sophos are currently 2 Productive VLANs for Server-Traffic left.

 

I got an Routing-VLAN between the Sophos and FortiGate (192.168.200.100 Soph. 192.168.200.254 FTG)

 

The FortiGate got an Internet Connection through Vodafone and i configured as SD-WAN: 

 

1st Member: Vodafone ISP: Cost 1

2nd Member (deact) : MPLS: Cost 10

 

The Cost of SD-WAN Interface is 1

 

We got an Test-Connection through S2S-VPN to another Campus using same FortiGate outside MPLS. 

 

Route S2S-VPN: 10.24.x.x/16 - GW: 188.111.43.129 Cost 10

 

And we got the routes to our internal -Server VLANs in Sophos with currently 20 Cost.

 

 

i want to migrate the MPLS Line to the FortiGate. 

 

Please help me, that i do the right steps: 

 

i create routes to the MPLS Networks and internal Networks in Sophos targeting FTG-GW

 

i create a new interface in Networks for MPLS Interface (172.16.1.1/24, GW: 172.16.1.254)

 

then i create the Routes for the MPLS and Internal Networks, similar to the Routes in Sophos. 

 

Now i have to create a Firewall-Rule Source Interface the Sophos and the Productive VLANs in sophos, and Target to MPLS, and the other internal Networks, and Backwards.

 

In Sophos i have to create the Same Firewall-Rule, to get all traffic good between the two firewalls. 

 

 

2 Questions: Do i have to assign a explicit SD-WAN Rule, to Route the Traffic to the other campusses, and not to Internet?

Do i have to change the costs for SD-WAN-Members to 20 (i think this i only for Load-Balancing, right?) 

 

 

In the Past i made the Migration on my own with an downtime, but, i get different effects, because i have to rollback my actions. 

 

If you need further Information, let me know, i think i can give it to you. 

0 REPLIES 0
Labels
Top Kudoed Authors