Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

Created on ‎07-28-2020 10:12 AM

SD-WAN and multi-WAN links design

Hi, guys,

I am new to Fortinet products.

We have two sites, I just installed Fortigate 400e HA pair at each site, and multi WAN links at each site, like SiteA has two internet lines for web surfing and then two IPLC lines connect to SiteB ( also has two internet lines )

 

I would like to get recommendation from your experts, how to design/configure the 400e HA pair at each site:

1. Internet lines for web surfing at each site

2. IPLC lines for two site communication ( with private IP subnets) 

 

 

 

Many thx in advance.

 

 

2761
0 Kudos
1 Solution
PerthNSE
New Contributor II

Created on ‎07-29-2020 10:03 PM

Hi,

I'm not too sure what exactly you are after here - so I'll take a stab at connectivity.

I'm going to assume you have a pair of core Fortiswitches running in MCLAG for this.

 

The key with HA is to ensure that you maintain connectivity in the event of an HA primary change over, so the incoming links need to go through VLANs on the core switches before connecting to the HA pair. The links from the switches can be physical cables to the WAN ports on the Fortigates, but I usually use VLANs on the FortiLink interface.

 

Then you should add the interfaces to SDWAN and setup PLA and SDWAN Rules to handle traffic.

 

For a dual WAN setup I would normally connect it up similar to this diagram (just add more for IPLC links) - 

 

 

 

If you haven't seen it, this cookbook article is a good starting point fo HA setup - https://cookbook.fortinet.com/high-availability-two-fortigates/index.html

View solution in original post

Preview file
73 KB
1811
0 Kudos
2 REPLIES 2
PerthNSE
New Contributor II

Created on ‎07-29-2020 10:03 PM

Hi,

I'm not too sure what exactly you are after here - so I'll take a stab at connectivity.

I'm going to assume you have a pair of core Fortiswitches running in MCLAG for this.

 

The key with HA is to ensure that you maintain connectivity in the event of an HA primary change over, so the incoming links need to go through VLANs on the core switches before connecting to the HA pair. The links from the switches can be physical cables to the WAN ports on the Fortigates, but I usually use VLANs on the FortiLink interface.

 

Then you should add the interfaces to SDWAN and setup PLA and SDWAN Rules to handle traffic.

 

For a dual WAN setup I would normally connect it up similar to this diagram (just add more for IPLC links) - 

 

 

 

If you haven't seen it, this cookbook article is a good starting point fo HA setup - https://cookbook.fortinet.com/high-availability-two-fortigates/index.html

Preview file
73 KB
1812
0 Kudos
BensonLEI
Contributor
In response to PerthNSE

Created on ‎07-30-2020 04:08 AM

Hi, PerthNSE,

 

May thanks for your reply and information, I set up the HA structure and SD-WAN zones for the internet and IPLC lines, at the attached.

 

But strangely, I can not configure static route to individual SD-WAN zone separately, only this object "SD-WAN"

 

=====

config system sdwan   set status enable      config zone        edit "virtual-wan-link"      next        edit "Access_to_Internet"      next        edit "LL_link-to-16HK"     next   end   config members

.....

.....

config router static     edit 1       set distance 1       set sdwan enable   next   edit 2      set dst 10.16.7.0 255.255.255.0      set gateway 10.10.32.22      set device "port7" next

===========

 

 

Änything I need to modify the "config router static", please advice

 

 

Preview file
42 KB
1774
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.