Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Azure vWAN SD-WAN NGFW Deployment Guide

    Home FortiGate Public Cloud 7.4.0 Azure vWAN SD-WAN NGFW Deployment Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0

    Dynamic rerouting

    Appendix C - Dynamic rerouting

    The FortiGate SD-WAN solution in Azure vWAN Hubs is designed for two active FortiGates. It is recommended for each FortiGate to have at least one tunnel to every branch device. If the branch device has multiple ISPs, it is recommended to have one tunnel per ISP that terminates on each of the FortiGates in Azure VWAN hub.

    Azure Routing Intents policy for internal and SD-WAN traffic forwards all RFC 1918 destinations to the FortiGates through an Azure load balancer floating IP address. The load balancer only validates that the FortiGate is responsive to probes, but does not validate that a specific tunnel or route is enabled through the FortiGate. As a result, if all tunnels to a specific branch fail through one of the FortiGates, it’s possible for outbound traffic to the branch to be dropped by one FortiGate, but not the other. This appendix offers a solution to dynamically reroute traffic from one FortiGate to the other FortiGate in such a scenario.

    Note

    If you have changed the default route in any way, review About the dynamic rerouting solution before deploying the CLI scripts. The scripts assume a 0.0.0.0/0 route through port1 of each FortiGate provided by DHCP with an Administrative Distance of 5, which reflects the FortiGates configuration at time of deployment.

    The following diagram shows how outbound traffic is dropped by Hub 1 and doesn't reach the branch device.

    When the solution described in this appendix is implemented, traffic dynamically reroutes from one FortiGate to the other FortiGate and out to the branch device.

    This section includes the following topics:

    Previous
    Next

    Dynamic rerouting

    Appendix C - Dynamic rerouting

    The FortiGate SD-WAN solution in Azure vWAN Hubs is designed for two active FortiGates. It is recommended for each FortiGate to have at least one tunnel to every branch device. If the branch device has multiple ISPs, it is recommended to have one tunnel per ISP that terminates on each of the FortiGates in Azure VWAN hub.

    Azure Routing Intents policy for internal and SD-WAN traffic forwards all RFC 1918 destinations to the FortiGates through an Azure load balancer floating IP address. The load balancer only validates that the FortiGate is responsive to probes, but does not validate that a specific tunnel or route is enabled through the FortiGate. As a result, if all tunnels to a specific branch fail through one of the FortiGates, it’s possible for outbound traffic to the branch to be dropped by one FortiGate, but not the other. This appendix offers a solution to dynamically reroute traffic from one FortiGate to the other FortiGate in such a scenario.

    Note

    If you have changed the default route in any way, review About the dynamic rerouting solution before deploying the CLI scripts. The scripts assume a 0.0.0.0/0 route through port1 of each FortiGate provided by DHCP with an Administrative Distance of 5, which reflects the FortiGates configuration at time of deployment.

    The following diagram shows how outbound traffic is dropped by Hub 1 and doesn't reach the branch device.

    When the solution described in this appendix is implemented, traffic dynamically reroutes from one FortiGate to the other FortiGate and out to the branch device.

    This section includes the following topics:

    Previous
    Next