Security Fabric over IPsec VPN

This is an example of configuring Security Fabric over IPsec VPN.

Sample topology

This sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to join Security Fabric.

Sample configuration

To configure the root FortiGate (HQ1):
  1. Configure interface:
    1. In the root FortiGate (HQ1), go to Network > Interfaces.
    2. Edit port2:
      • Set Role to WAN.
      • For the interface connected to the Internet, set the IP/Network Mask to
    3. Edit port6:
      • Set Role to DMZ.
      • For the interface connected to FortiAnalyzer, set the IP/Network Mask to
  2. Configure the static route to connect to the Internet:
    1. Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
      • Set Destination to
      • Set Interface to port2.
      • Set Gateway Address to
    2. Click OK.
  3. Configure IPsec VPN:
    1. Go to VPN > IPsec Wizard.
      • Set Name to To-HQ2.
      • Set Template Type to Custom.
      • Click Next.
      • Set