My FortiGate SDWAN Configuration and Some Use Cases

Рет қаралды 52,894

Fortinet Guru

Күн бұрын

Пікірлер: 104

@FortinetGuru 4 жыл бұрын

How do you utilize SD-WAN? Tell us below!

@lkfng 3 жыл бұрын

I am testing failover, but not seeing how the SLA would interact with the manual static routes I added. Do I need to leave the both static defult routes and delete them and let the SLA add and remove them automatically.

@KikiNation1 2 жыл бұрын

I'm still relatively new to the whole SDWAN stuff ... so this was an extremely useful video. Thank you!

@Schumdog1 4 жыл бұрын

Nice video, I just implemented SD wan with three WAN links, it works very well and much neater than policy routes to specify where the traffic goes, another amazing benefit is the redundancy that is completely worry-free and automated now.

@slimaneb2070 3 ай бұрын

seriously, your videos are spot on. Thank you soo much!

@yulaw3289 3 жыл бұрын

Great video about SD-WAN, please make more. Thank

@ciscco3750 2 жыл бұрын

SD-something traditionally means control plane and data plane separation, one of the main pillars of SDN. In Fortinet solution, control plane and data plane are not separated. This means that Fortinet solution is just a mechanism of automated policy-based traffic distribution between WAN links. All the features of SDWAN (ZTP, ABR, visibility and automation, etc) existed before SDWAN. But this doesn't mean that we should call them SDWAN now.

@frankvanschijndel9080 4 жыл бұрын

Mike, absolutely like this video. Plan to upgrade all branch offices around Europe someday to 6.4.(something), get SD-WAN to work on every site and manage it from our DC. Just waiting to get this one stable enough to use it for production. Can't wait on your next more advanced SD-WAN videos. Cheers!

@mohammedmustafaali1049 4 жыл бұрын

really cool video, would love to see IPsec implementation on top of SDWAN that would be a very cool topic,, thanks

@JoeyGarcia 4 жыл бұрын

I agree!! That would be cool!

@olabodemakanjuola5265 2 жыл бұрын

Thank you so much👍...this is quite intuitive and simple to understand

@Nsadheo 2 жыл бұрын

@ 7:07 - "If the fibre link had to fail it wouldn't use that policy it would use the link that's still existing." So if it wouldn't make use of the SD-WAN rule 1 then what would hosts on the PRUETT_LAN make use of then?

@BANZAI-tu7yv 4 жыл бұрын

love this channel godmanit

@reanitkhmer3325 2 жыл бұрын

really appreciated your video. Thanks

@FortinetGuru 2 жыл бұрын

You are welcome!

@misubear 3 жыл бұрын

Very well explained Mike! Much more helpful than Fortinet documentation.

@benizraadacudao3020 2 жыл бұрын

Great video bro!

@derasnan 2 жыл бұрын

Hey Mike. Bit of a blast from the past, but, great vid! Just set this up on my home network with 7.2, which looks and works very similarly. Have you played with 7.2 much yet?

@jong7322 4 жыл бұрын

Good video! We use SD-WAN simply as a fail-over between two WAN connections on 6.0.9. SSLVPN and site-to-site tunnels are tied to the IPs, and it doesn't seem to let you tie them to the virtual SD-WAN interface instead, so when primary goes down, so do the tunnels, but internet for the office stays up! Maybe you know a better way around this? Do you have any guides on how to implement split-tunneling for SSLVPN traffic? I found the cookbook to be kind of lacking.

@shawngeen5657 4 жыл бұрын

I posted above as well but wanted to let you know that we use SD-WAN as failover between two wan connections running 6.0.9 same as you do. We have IPSec site to site connections as well. We use sslvpn on the head end HQ fortigate but decided to not use the split tunnel as we wanted to make sure all traffic goes out through the head end internet connection so it can be inspected and reported on. I guess it was deemed a security issue with split tunnel I guess. I wonder if Fortinet will release a build for 6.0 SD-WAN so we can use zones in this same fashion as 6.4. Hopefully they will.

@kimberly3052 4 жыл бұрын

Thanks for the video! I'd love to see some more about IPsec and IKE maybe? I'm learning for my NSE 4 :)

@javig.5213 2 жыл бұрын

Excellent video! Keep up the great work. Question...is there a good reason to implement SD-Wan over one internet connection. I mean, if you can't use "policy" to send traffic to different links, what's the use? Thoughts?

@FortinetGuru 2 жыл бұрын

I only deploy SD-WAN if I have multiple paths to the same destination. For instance, multiple internet links for default routes, IPSEC tunnels over multiple circuits to the same destination, MPLS etc.

@srvmotoman 4 жыл бұрын

This is fantastical! Thank you!

@Philliprgarcia 5 ай бұрын

Question, if I want to set up a fortigate firewall and switch for my home network do I need to get enterprise grade internet to get the gateway IP, WAN IP etc?

@Alk3fan22 4 жыл бұрын

Hey Mike! Fantastic video! I had no idea what SD WAN meant before watching this video. Can you expand on how this eliminates the needs for a private line or MPLS network? You mentioned a business can purchase a consumer grade link instead. Thanks for the info!

@padge4112 4 жыл бұрын

Generally SD-WAN devices will form auto VPN tunnels between eachother allowing secure site to site communication over the internet that traditionally you'd get with MPLS/private lines. This could also be achieved with traditional gear on internet lines but requires large amounts of configuration for each new site and can become complex to manage

@drawingtest-z5o 6 ай бұрын

is it possible that i can use the other WAN for usage of specific windows server?

@The79Bomb 2 жыл бұрын

So, if the preferred link goes down the implicit rule catches the traffic and routes said traffic out the other link?

@FortinetGuru 2 жыл бұрын

Yup.

@LucSVK 4 жыл бұрын

Hey, if you don't recommend 6.4 for production environment (is it true even now with 6.4.3?) and you hate 6.2, what version do you use for client installations? Btw, very good video. Thanks a lot.

@SureshotCyclonus 4 жыл бұрын

I am very curious about this as well.

@firewalllife 4 жыл бұрын

Great Explanation....

@ibrahimsobhy358 2 жыл бұрын

why u do not do a full explanation to FortiGate as a full series ??

@cankitchourasia 4 жыл бұрын

Great video!! I heard you saying that you don't have FortiGuard or UTM. Doesn't that mean that the unit doesn't receives latest definitions?

@eltonribeiro5479 2 жыл бұрын

Thanks for the video. what fortigate model with an affordable price tag, would you advise to someone (just trying to learn firewall for the 1st time) for a home network with up to 3-4 people with access to the network?

@Alex-un5tl 3 жыл бұрын

thanks a lot for the great video!

@faheemahsan672 4 жыл бұрын

Fantastic and awesome video! Would you please differentiate the SDWAN solution of Fortigate with Cisco Meraki? As many of the customers buying the SD-WAN solution of Cisco Meraki rather than Fortigate. Please do correct me if I’m wrong.

@FortinetGuru 4 жыл бұрын

Meraki is a better SD WAN product. I will do a comparison video of the features and pros/cons

@RaviChinasamy 4 жыл бұрын

@@FortinetGuru you really should.

@JabbaDG 4 жыл бұрын

Very informative video Thank you

@80andybrown80 3 жыл бұрын

Is it possible to add SD WAN to an existing configuration if I get a second link ?

@akant74 4 жыл бұрын

How are your static routes setup? Do you point your default to the new sd-wan group name? Or just double static routes each provider interface? If the latter, when would you ever route the newly created SD-WAN zone?

@FortinetGuru 4 жыл бұрын

My static route goes to the SDWAN interface. The zones group the interfaces from there.

@chrism589 Жыл бұрын

OK, so external interface names replaced with SDWAN names, easy enough for routing traffic out. With incoming traffic just replace the external interface name with SDWAN too ?

@sandman_9224 4 жыл бұрын

if you are using sd wan, would you still use ipsec tunnel

@Wisdomisgood448 3 жыл бұрын

Hey man! Great video. Question for you - is it possible to use FortiExtender inside SD-WAN as a backup IPsec tunnel? Typically IPsec tunnel requires static IP's for the respective peer, since FortiExtender, through LTE Providers, gives you random IP's I was wondering if it's possible or in order to have a backup Ipsec tunnel inside SD-WAN it must be a dedicated circuit with a static IP as well?

@FortinetGuru 3 жыл бұрын

Any interface can be an sdwan member

@TechDais 4 жыл бұрын

Can u upload the video showing how to use public IPs binded with internet connection while we are using by dialing pppoe connection.

@tejam1389 3 жыл бұрын

Hi I have two Point to point mpls tunnel can I use as active active like load balancing between two tunnels using SD wan

@shawngeen5657 4 жыл бұрын

Great video as always👍. We use SD-WAN as failover between two wan connections running 6.0.9 as well. We have IPSec site to site connections as well. We use sslvpn on the head end HQ fortigate but decided to not use the split tunnel as we wanted to make sure all traffic goes out through the head end internet connection so it can be inspected and reported on. I wonder if Fortinet will release a build for 6.0 SD-WAN so we can use zones in this same fashion as 6.4 or are we stuck? Thoughts?

@kitkat0981 4 жыл бұрын

That won’t happen. Better upgrade to 6.2.3 Sdwan in 6.0 is glorified ECMP... 6.2.3 is better. Deployed for police station where I work. You can also use sdwan for private IPSec over mpls with ospf and aggregate multiple IPSec tunnels. Try it out in a virtual lab using EVE-NG... works like a charm...

@JoeyGarcia 4 жыл бұрын

Hey Mike! So...it's been months since video and 6.4 is up to 6.4.4 now, would you consider it stable for production now?

@MyGutFeeling_ 4 жыл бұрын

Before SDWAN I used Policy Routes to route specific traffic out of the correct interface. I'm wary of deleting the policy routes directing traffic out to the Internet at present due to the number of remote addresses we need access to. How would you manage this? Just let SDWAN rules dictate flow of traffic, or use combo of SDWAN and Policy routes as I am doing now? Caveat: Some remote connections are only accepting connections from one of our WAN IP addresses

@FortinetGuru 4 жыл бұрын

If you have your SD WAN rules proper it won’t be an issue. Disable the policy routes during a maintenance window for testing.

@MyGutFeeling_ 4 жыл бұрын

@@FortinetGuru Great, thanks for replying Mike

@harrylumsdon6773 3 жыл бұрын

Where can we purchase shirt?

@FortinetGuru 3 жыл бұрын

I don’t think Fortinet would like that very much. I might be able to give some away.

@vinray8781 3 жыл бұрын

Hi, how can you force traffic like youtube in SD-WAN in WAN1 and if WAN1 fails it will never go to WAN2. Thank you

@xander116 3 жыл бұрын

Looking for a solution too on FortiOS v7. For example to not allow guest vlan traffic to internet when one of the WAN links is down. Did you found a solution yet?

@vinray8781 3 жыл бұрын

@@xander116 on sd-wan rule use manual strategy and select your primary internet only

@profetaII 4 жыл бұрын

Is it possible to do a site-2-site pointing to the sd wan? we only can point to one of the public ip address right?

@FortinetGuru 4 жыл бұрын

Your tunnels terminate on the actual interfaces that are a member of the SDWAN. In 6.4 you could throw your IPSEC interfaces into their own SDWAN zone and have separate rules and SLAs for them.

@kieranwilliams3052 3 жыл бұрын

How hard is it to convert to a SD-WAN setup from traditional on 6.2 or do you recommend to upgrade to 6.4 and do from there.. Need to convert a site to SD-WAN which just got a second ISP.

@FortinetGuru 3 жыл бұрын

Not bad. Schedule maintenance window. Create sdwan zone. Add members. Update policies. I do recommend doing 6.4.6 if you jump to sdwan so you can have sdwan zones.

@nathaniellagos6321 3 жыл бұрын

How can I setup the priority of my SD-WAN members if I only wanted my Wan1 (Fiber) to be active and my Wan2 (Coax) to be failover. I swear the functionality was on my FG GUI during version 6.2 or 6.0 I believe.

@cheegheehong 3 жыл бұрын

How to define sd-wan with IPSec VPN tunnel use Dual WAN-links?

@Llaves2625 3 жыл бұрын

Hey! Hope you're doing fine my friend! I like your videos! I want to ask you if you can show some topolgies of designs about what your are explaning or configuring in the next videos. I think that would be better to understand the technology or solution tha you're talking about. Tks!

@damonaniton 4 жыл бұрын

How expensive is fortinet when it comes to the licensing fees for their firewalls. I was strongly considering going Palo Alto because that is what I use for work but the cost to license them is crazy.

@FortinetGuru 4 жыл бұрын

Roughly 25-30% the cost of the device is a good estimate. So if you spend 1000 on the fortigate you can expect 250-350 for annual support.

@BobbyBike 3 жыл бұрын

From 6.4.x series, beware of 6.4.5 Fortigate Issue 672925, titled: "Traffic cannot pass through IPsec tunnel after being offload to NPU." Causes some issues mainly with ESP packets inside such IPSec (tunnel in tunnel.. I know) 6.4.4 is stated to be free of this defect, the fix is supposed to be in 7.0 I still see 6.4.x series being verry buggy.

@iansnyder1310 4 жыл бұрын

Thanks for the video! I was wondering if you had any plans to create a video going into detail on your firewall policy rules? I see a lot of content on very basic policy (internal -> wan allow any any) but not much demonstrating more granular setups, using specific applications or services. I'd like to experiment with a whitelist based firewall policy without pissing off my wife too much (we both work from home at the moment).

@FortinetGuru 4 жыл бұрын

Videos will be increasing in specificity and complexity. I am trying to get a lot of the basic things out of the way for folks. The goal is to build a strong foundational knowledge so we can build upon that and folks understand the why as well as the how. This way when things go crazy they can accurately troubleshoot.

@iansnyder1310 4 жыл бұрын

@@FortinetGuru Coming from someone who is taking security+ on Saturday and just got his hands on a 60F a few weeks ago. I appreciate this approach.

@AlainSylvestre 4 жыл бұрын

We use sd-wan for windows update using the slow link.

@JoeyGarcia 4 жыл бұрын

what version of the OS?

@AlainSylvestre 4 жыл бұрын

@@JoeyGarcia 6.2

@JoeyGarcia 4 жыл бұрын

@@AlainSylvestre Thanks! We're still running 6.0.11 (or something like that) due to compatibility reasons with other VPN links, but plan to be upgrading to 6.2 soon or maybe just jump to 6.4 if it's ready for production

@mak_ulet 4 жыл бұрын

Im using Fortigate 60E. Theres only SD-WAN and not SD-WAN Zone. Is this something to do with Firmware version? Im using v6.0.4 build0231.

@YTRedMan 3 жыл бұрын

You have to upgrade your firmware to 7.0.1 or 6.4.5

@blackshelbygt500kr 4 жыл бұрын

I recently setup Zones after watching your Zones video. My WAN interface is not visible when trying to setup an SD WAN Zone. Is there any way around this? I was going to play around with the SLAs just to keep an eye on the performance of my line.

@FortinetGuru 4 жыл бұрын

All references need to be removed before you can place it in a zone or or sdwan interface. Chances are your internal to wan policies are still there.

@brian10jones 4 жыл бұрын

No FortiAPs?

@FortinetGuru 4 жыл бұрын

I run unifi at the house

@DannyMaas 4 жыл бұрын

So, changed your mind about SD-WAN? it's pretty easy on a Fortigate. ;-)

@FortinetGuru 4 жыл бұрын

Just now getting to where I like it

@richcarroll4587 2 жыл бұрын

the cable modem had ping variation of 2ms why you talking crap about it.

@misubear 4 жыл бұрын

Love the tshirt! So true. You should start selling them.

@joellemorris5684 3 жыл бұрын

Thanks for all your great tutorials. I would like to know the kind of SD-WAN Fortinet is actually offering. In light of the video: kzbin.info/www/bejne/b33bZWN7f8mHi5Y, will you say that SD-WAN your Fortigate 8-E works based on Aggregation or Bonding?