Ask AI: What is the best way to set up a new Fortigate SDWAN network with backup internet and connectivity between sites?

Setting up a FortiGate SD-WAN network with backup internet and reliable site-to-site connectivity involves careful planning and step-by-step configuration. Below is a recommended approach, suitable for most small/medium business scenarios. Adapt specifics as needed for your environment. ### 1. **Pre-requisites** - FortiGate devices at all sites, running compatible firmware (latest recommended). - At least two internet links per site (Primary, Backup). - Licensing for SD-WAN features if not built-in. - Static IPs for VPN endpoints or DDNS configured. - Planned subnetting so that each site has unique internal networks. --- ### 2. **Physical and Initial Setup** - Connect both internet links (WAN1, WAN2) to your FortiGate at each site. - Configure the internal interface for LAN users. --- ### 3. **Configure Internet and SD-WAN Interfaces** 1. **WAN Interface Setup** - Under **Network > Interfaces**, configure WAN1 and WAN2 with IP information or DHCP. 2. **SD-WAN Zone Setup** - Go to **Network > SD-WAN**. - Add both WAN1 and WAN2 to the SD-WAN zone. - Assign costs/priority if you want to prefer one link by default. --- ### 4. **Configure SD-WAN Rules and Performance SLAs** - Define **Performance SLAs** to monitor gateway reachability (ping to 8.8.8.8 and 1.1.1.1, for example). - SD-WAN rules - Create rules specifying preferred link usage (e.g., Primary unless down or performance degraded, then use Backup). - Rules can be set per application, per subnet, or general. --- ### 5. **VPN/Inter-site Connectivity** **For site-to-site, two options:** #### a. IPsec VPN with SD-WAN - Use IPsec VPNs for tunnels between sites, built on top of the SD-WAN. - At each site: - **Create two IPsec tunnels** to each peer—one via WAN1, one via WAN2. - In **Network > SD-WAN**, add both VPN tunnels to the SD-WAN zone. - SD-WAN rules and Performance SLAs will handle failover and link choice automatically. - At both ends configure static or dynamic routing (OSPF/BGP is beneficial for larger networks). - Example: Site A WAN1 <--> Site B WAN1 Site A WAN2 <--> Site B WAN2 #### b. (Alternative) Fortinet ADVPN - For hub-and-spoke or large deployments, use **ADVPN (Auto-Discovery VPN)** using FortiGate's advanced VPN features. --- ### 6. **Routing** - Use **SD-WAN rules** to send outbound and inter-site (VPN) traffic over the best link. - Use static or dynamic routing as appropriate for your topology. - OSPF/BGP enables automatic adaptation if a link goes down. --- ### 7. **Firewall and Security Policies** - Set security policies to allow appropriate inter-site traffic. - Configure policy for outbound internet access via the SD-WAN interface. --- ### 8. **Testing and Monitoring** - Unplug/inject faults into WAN links to verify failover. - Use **Monitor > SD-WAN** and the VPN section to observe tunnel and link status. --- ### 9. **Additional Recommendations** - **Backup the configuration** after setup. - Consider enabling **logging**, especially for SD-WAN and VPN events. - If using central management (FortiManager), templates can speed up deployment for many sites. - Use **two-factor authentication** and strong passwords for device admin access. --- ## **Summary Flow** 1. Enable SD-WAN, add both WAN links. 2. Create Performance SLAs for link monitoring. 3. Add site-to-site VPN tunnels via both internet links and add to SD-WAN. 4. Set SD-WAN rules to use best available link. 5. Add security policies and routing as needed. --- If you need **step-by-step GUI screenshots, CLI commands, or a sample config**, let me know your FortiOS version and any special requirements.

Setting up a new Fortigate SD-WAN network with backup internet and connectivity between sites involves a series of steps that take into consideration the network architecture and specific business needs. Here's an outline of how to set up an efficient, reliable, and secure Fortigate SD-WAN network: 1. Network assessment: a. Analyze the business requirements, locations of the sites, WAN connectivity options, and redundancy needs. b. Determine the number of necessary Fortigate devices, the type of internet connections, and relevant bandwidth. 2. Select appropriate hardware: a. Choose appropriate Fortigate appliances based on the number of users, network requirements, and feature set. b. Evaluate other network devices that may be necessary, such as routers, switches, or wireless access points. 3. Plan and design the SD-WAN architecture: a. Create a network topology sketch detailing how all sites will be interconnected. b. Plan where the SD-WAN controllers (e.g., FortiManager and FortiAnalyzer) will be deployed, if necessary. c. Define branch office connectivity: you can choose between Hub and Spoke, Partial Mesh or Full Mesh topologies based on your requirements. 4. Configure Primary and Backup internet connectivity at each site: a. Set up dual WAN connections on the Fortigate device at each site. b. Configure primary and backup VLANs, IP addresses, and gateways. c. Use link health monitoring features like link monitoring or ping probes to detect ISP outages and automatically switch to the backup link. d. Configure load balancing and failover options as required, such as policy-based routing or Equal-cost multi-path (ECMP). 5. Enable the SD-WAN features at the Fortigate devices: a. Enable the SD-WAN option in the Fortigate devices. b. Add member interfaces (i.e., primary and backup internet links) to the SD-WAN interface. c. Create health check policies to monitor the quality of the WAN links and take appropriate actions when issues are detected. d. Configure load balancing and prioritization policies. 6. Establish secure connectivity between sites: a. Set up site-to-site VPN connections (IPsec or SSL) between the Fortigate devices at each site. b. Create appropriate routing policies and firewall rules to allow traffic between sites. c. Leverage SD-WAN capabilities like Forward Error Correction (FEC), Quality of Service (QoS), and Traffic Shaping to optimize application performance across the VPN connections. 7. Monitoring and management: a. Configure logging and reporting on each Fortigate device for visibility into network usage and performance. b. Use FortiManager and FortiAnalyzer to centrally manage and monitor all Fortigate devices. c. Establish routine maintenance plans to ensure Fortigate devices are up-to-date with the latest features, bug fixes, and security patches. 8. Implement security features on the Fortigate SD-WAN network: a. Enable features like intrusion prevention system (IPS), antivirus, application control, and web filtering. b. Create security policies for traffic flow between sites and internet destinations. c. Implement two-factor authentication (2FA) for remote administration access. By following these steps, you can set up a reliable, secure, and efficient Fortigate SD-WAN network to support backup internet and inter-site connectivity. The implementation may vary depending on the complexity of the network, but this guide should provide a good starting point for most cases.