- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Best VPN option for backup ISP WAN connections
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best VPN option for backup ISP WAN connections
Hello Everyone,
I am looking into how to connect several sites to each other, who all have a primary broadband WAN connection and a 5G backup WAN connection, all with static IPs. Our current site-to-site connections are only configured to use one WAN connection on each end, so when the office broadband connection goes down on occasion, the office has internet access via the 5G but no VPN access because it is configured for the single interface. There seem to be multiple paths i could take here and none of them seem as simple as i thought they would be.
Our network mainly consists of all Fortigate devices. F40s, 60Fs, a 61F, a 71F, and some 81Fs at our two data centers.
Approximately 15 of our sites, including our data centers, LANs are already connected to eachother via L3VPN managed by Windstream, connected to their SDWAN solution, VeloCloud, and routed to eachother via BGP.
The other 15 sites are not on any kind of managed SDWAN solution at this time. Each site has a primary broadband WAN connection, and a backup 5G connection. They are currently setup to connect to our data center via IPSEC site-to-site at our main data center, 81F-ColoPrimary. The problem we want to solve is when their primary broadband connection goes down, is to stay connected to our data centers.
Our goal is:
- Approximately 15 sites backup 5G ISP WAN connections be configured with both connections into an SDWAN zone, configured to fail over to the backup WAN if the primary connection is unusable
- This has been done on 40F-Test and 40F-Dover2 with a very basic config
- Configure them so they can connect to eachother and access eachothers internal LAN subnets through either WAN interface, through IPSEC tunnels or another means
- Utilize a routing protocol such as BGP so the sites can talk directly to eachother if feasible
So i found this tech tip article and started going through it on our test Fortigate-Test. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...
It was tedious but if it will actually work i suppose its doable... if it really works.
I got to the point in the directions where you are required to make some changes through the CLI. This doesnt seem like the right thing to be doing for 15 sites. If it is im fine with it, but stopped there to see if there is a better way.
Also i found this playlist https://www.youtube.com/playlist?list=PLp9LEzHcE6jD8OXgCmJH9gPRa39JcsA8n
and this one in particular, https://www.youtube.com/watch?v=33z0XbdJi2Q&list=PLp9LEzHcE6jD8OXgCmJH9gPRa39JcsA8n&index=19
But as i started watching the videos i realized they really build upon eachother, i cant really jump right to part 19 because it references things that have already been setup.
If you check out the above video and can recommend what they are presenting here in part 19 - (Adding a redundant VPN link and having FortiGate SD-WAN pick best path using Performance SLAs) then i will proceed with it, but if there is a better way and i am just missing it please let me know. I also have a ticket start with support to basically ask them the same question but figured asking here would be a good idea as well.
If you have any questions let me know.
Thanks in advance for any advice you have on this!
Jesse
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
WAN optimization
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Cogency
Thanks for your query.
Actually, i suspect support will give you design advices, because it requires changes in your infrastructure.
Based on your requirements, you are in need for ADVPN with SDWAN.
Please check this link as it has some good configuration examples.
ADVPN and shortcut paths | FortiGate / FortiOS 7.4.1 | Fortinet Document Library
Regards,
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Cogency
Thanks for your query.
Actually, i suspect support will give you design advices, because it requires changes in your infrastructure.
Based on your requirements, you are in need for ADVPN with SDWAN.
Please check this link as it has some good configuration examples.
ADVPN and shortcut paths | FortiGate / FortiOS 7.4.1 | Fortinet Document Library
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the very late reply, but thank you for the advice.
Related Posts
- IPsec tunnel stability issue - two... 256 Views
- Enquiry on FortiGate TCP Connection (conn-limit)... 155 Views
- Root Cause of Red Down Arrow... 108 Views
- Automatic Daily Backup to E-Mail 177 Views
- Lost super_admin - how to exec... 245 Views
Labels
-
FortiGate
6,539 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.