Thanks! Yes I do plan on keep doing videos! Fun fact, I didn’t know the difference between numbered and unnumbered tunnel interface when I did the video. I only knew one way of doing them… Yes one day I’ll do a video on those 2 tunnel interface vpn

Hum, good one. What are you trying to achieve? I’m trying to find a use case fit it

Should I abandon lb/fail over groups in favor of sd wan for my two wan connection ?

Hum. Good one. Are you using SDWAN for ALL traffic going to the wan? In the video I use it only for office 365 (or maybe just teams, I don’t recall) in that case, SDWAN only applied to office 365. So I would keep the failover setting for everything else.

@@JeanPierTalbot Thanks for the reply. Not using SDWAN for all LAN to WAN traffic, just one cloud app like your example. Question is, does Fail Over conflict with SDWAN? I am wondering if both should be used together or if SDWAN should replace Failover.

@@KT-hx2ul I dont see SDWAN replacing the global failover setting. SDWAN will kickin for the specific stuff you have set and everything else will fall under the basic failover.

They are pretty much the same. Both are a site to site vpn using same encryption. Tunnel interface, as the name states, the vpn is an interface. Giving you more flexibility in regards of static/dynamic routing and SDWAN. Where standard vpn can’t participate in those.

Yeah, I could. Eventually. Working on a few videos now: capture atp and wireless

@@JeanPierTalbot great

Never tried it. I usually remove the fortinet in my day to day job :-) Not sure it will work. You need to create 2 or more tunnel interface VPN. Not sure how/if you can do that on fortinet. If you can get the fortinet to build tunnel interface vpns, then you can get SDWAN to route traffic on those vpn interfaces.

Thanks Ken! Glad you learned a lot with my videos! Yes NSM has a SDWAN thing to do what you want. To be honest, I never tried it. It would require me multiple firewall each having multiple ISP. That would be a pretty big/cable messy lab :-)

@@JeanPierTalbot thank you for taking time to reply! I'll look into NSM!

I’m not fully sure what you are trying to achieve, but if you want SDWAN to check which internet line is the best to reach an external ip, it can be done. It will be similaire to the portion I did on teams.

It’s the same process, a second time for a second site

Best would be to change subnet so they don’t overlap anymore. Otherwise you can do 1 to 1 NAT in your tunnel So if the subset is 192.168.1.0 on both side, you will kind of have a fake subnet in the VPN. So when you ping 10.10.10.123, it will be NATed to 192.168.1.123

Hi Raj! You definitely can do split tunnel on site to site vpn. If you edit you vpn, under network menu you will see what networks are connected. If I had to take a guess, I would bet the issue is your NAT and that it also takes traffic that destination is the WAN into your site to site vpn NAT rule. Ensure no objects contains 0.0.0.0. (That’s for tunnel all) That’s something you can call support about. They are amazing. Wait time is pretty much always less than 5 minutes.

Thanks for the feedback. Yes you can download a 30 days trial if the virtual firewall for hyper-V or ESXi

LOL give me your address, I’ll ship you a few

Yes, that’s what I do in this vifeo

it's not something I have tested. but I believe SDWAN will not work with standard VPN. SDWAN needs 2 or more routes to get to the same destination. I believe you cannot do 2 standard VPN going to the same place. so that might require to switch to tunnel interface.

@@JeanPierTalbot okay. Thank you. I'll have to figure out what that change entails

@@cavj1111 backup the config on both firewall, delete the standard VPN and create a tunnel interface VPN. if that does not work and you are out of time, restore the configs you saved...

You would need to create 2 vlans in your wireless link. One for each wan to bring isp1 to site 2 and isp2 to site one. Then create isp1 vlan as wan on firewall 2 and isp2 on vlan as a wan on firewall1

You can have interfaces only in one SD-WAN group, yes. But you CAN create multiple SD-WAN policies using the same group of Sdwan interfaces.

@@JeanPierTalbot but trying to build a site to site networks sdwan will not replace ipsec site to site. When you need all 5 offices talking to one another

Yes you can do VPNs with dynamic ip. I have seen many setup where the remote location has a dynamic IP and the head office has a static. It works great if it’s the remote location users that needs to access ressources in the head office. So the firewall with the dynamic ip is the one initiating a vpn to the fix it. And yes you can add SDWAN on top

Email is visible on my monitor at the very beginning of the video.