Design Questions - Replacing several firewalls
Our current HQ, uses Fortigate firewalls
Situation a few months ago:
BranchA had FirewallBrandA, and connected to HQ via IPSEC VPN. Users connect to branch via FirewallBrandA VPN client
BranchB had FirewallBrandB and connected to HQ via IPSEC VPN. Users connect to branchB via FirewalBrandB VPN client
The 2 branches merged physically.
Each 'branch' is still using the same setup as when separated except for the internet which is now common.
We are going to replace FirewallBrandA and FirewallBrandB with only one Fortigate.
Initial thought was to plug each 'branch' on a different interface and have their own rules
Q1: Do we keep 2 IPSEC VPN to HQ, or can we have only 1? Not sure if we can have 2 VPN links pointing to the same HQ IP. On the other hand, I do not know how to set up a VPN link using 2 interfaces (and rules). Is it possible and how?
Q2: what about SSLVPN: I have played on our HQ firewall with having 2 SSLPortals, with each one authenticating against a different Radius server (and having their own subnets and rules). It seems to work but looks it is flaky. Also, not sure how Fortigate decices which portal to use depending of the user.
For example, from the same https address, how can UserA be authenticated by RadiusA and then get access to BranchA and how UserB be authenticated by RadiusB and then get access to BranchB
I also looked at Vlan on Fortigate on the same interface, to connect each 'branch', but will it not be the same for Ipsec and SSLVPN?
Any input would be greatly appreciated
Thanks in advance