Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multiple Datacenters for Enterprise (primary/secondary)

    Home FortiManager 7.4.0 Multiple Datacenters for Enterprise (primary/secondary)
    7.4.0
    7.4.0
    7.2.0

    Adaptive FEC

    Adaptive FEC

    Following is a summary of configuring adaptive FEC:

    1. Define the service that FEC will protect. See Defining a custom service.
    2. Define the FEC mapping to specify how many parity bits are sent based on different packet loss conditions. See Defining FEC mappings.
    3. Enable FEC on both HUB VPN phase 1 interfaces. See Enabling FEC for hub devices.
    4. Enable FEC on both branch VPN tunnels. See Enabling FEC on branch devices .
    5. Create policies for hub and branch devices, and install the policy packages. See Creating policies and installing policy packages.

    Defining a custom service

    Define the service that FEC will protect. In this example we will define a custom service.

    To define a custom service:
    1. Go to Policy & Object > Object Configurations > Firewall Objects > Services.
    2. Click +Create New > Service.
    3. Specify the name of the service, the protocol and the ports, and click OK to save the service.

    Defining FEC mappings

    Define the FEC mapping to specify how many parity bits are sent based on different packet loss conditions.

    To define FEC mappings:

    1. From the left side menu, expand Policy & Objects and select Advanced.

    2. Select CLI Configurations from the top menu.

    3. In the Search box, type fec. The vpn ipsec fec menu will appear.

    4. Click Create New. The create vpn ipsec fec mapping pane is displayed.

    5. In the Name box, type dc_fec.

    6. Under mappings, click Create New. The Create New vpn ipsec fec mappings pane is displayed.

    7. Set the following options, and click OK to create the mapping:

      base 8
      packet-loss-threshold 5
      redundant 2

      The mapping is created.

    8. Under mappings, click Create New again to create another mapping.
    9. Set the following options, and click OK to create the mapping:

      base5
      packet-loss-threshold10
      redundant2

    10. Click OK to save the object with two mappings.

    Enabling FEC for hub devices

    Enable FEC on both HUB VPN phase 1 interfaces.

    To enable FEC for hub devices:

    1. Go to Device Manager > Provisioning Templates > IPsec Tunnel.

    2. Double-click the Primary_secondary_dual_hub_HUB1_IPsec template to open it for editing.

    3. Select VPN1, and click Edit.

    4. Scroll down to and expand Advanced Options.

    5. Set the following options:

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    6. Click OK to save the changes.

    7. Repeat the same steps for VPN2.

    8. Repeat steps 2 through 7 for the Primary_secondary_dual_hub_HUB2_IPsec template.

    Enabling FEC on branch devices

    Enable FEC on both branch VPN tunnels.

    To enable FEC on branch devices:

    1. From IPsec Tunnel templates, double-click the Primary_secondary_dual_hub_BRANCH_IPsec template to open it for editing.

    2. Double-click HUB1-VPN1 to open it for editing.

    3. For FEC Health Check, enter HUB1_HC.

    4. Scroll down and expand Advanced Options.

    5. Set the following options, and click OK.

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    6. Repeat for HUB1-VPN2.

    7. Double-click HUB2-VPN1 to open it for editing.

    8. For FEC Health Check, enter HUB2_HC.

    9. Scroll down and expand Advanced Options.

    10. Set the following options and click OK:

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    11. Repeat for HUB2-VPN2.

    Creating policies and installing policy packages

    Create policies for the hub and branch devices for the custom application, and then install the policy packages to the devices.

    To create policies and install policy packages:
    1. Create a policy for the HUB policy package:
      1. Go to Policy & Object > Policy Packages > HUB > Firewall Policy, and click +Create New.
      2. Set the following options, and click OK.

        NameCustom App Policy
        Incoming InterfaceVPN1, VPN2
        Outgoing InterfaceLAN

        Pv4 Source Address

        Branch network

        Pv4 Destination Address

        Datacenter LAN1

        Service

        CustomApp-5000

        Action

        Accept

        Advanced Options

        fec enabled

      3. Move this policy under the SLA-HealthCheck policy.
    2. Create a policy for the branches policy package:
      1. Go to Policy & Object > Policy Packages > Branches > Firewall Policy and click +Create New.
      2. Set the following options, and click OK.

        NameCustom App Policy
        Incoming InterfaceLAN
        Outgoing Interface

        HUB1, HUB2

        Pv4 Source Address

        Branch network

        Pv4 Destination Address

        Datacenter LAN1

        Service

        CustomApp-5000

        Action

        Accept

        Advanced Options

        fec enabled

      3. Move this policy under the Health Check Access policy.
    3. Install both HUB and Branch policy packages.
    Previous
    Next

    Adaptive FEC

    Adaptive FEC

    Following is a summary of configuring adaptive FEC:

    1. Define the service that FEC will protect. See Defining a custom service.
    2. Define the FEC mapping to specify how many parity bits are sent based on different packet loss conditions. See Defining FEC mappings.
    3. Enable FEC on both HUB VPN phase 1 interfaces. See Enabling FEC for hub devices.
    4. Enable FEC on both branch VPN tunnels. See Enabling FEC on branch devices .
    5. Create policies for hub and branch devices, and install the policy packages. See Creating policies and installing policy packages.

    Defining a custom service

    Define the service that FEC will protect. In this example we will define a custom service.

    To define a custom service:
    1. Go to Policy & Object > Object Configurations > Firewall Objects > Services.
    2. Click +Create New > Service.
    3. Specify the name of the service, the protocol and the ports, and click OK to save the service.

    Defining FEC mappings

    Define the FEC mapping to specify how many parity bits are sent based on different packet loss conditions.

    To define FEC mappings:

    1. From the left side menu, expand Policy & Objects and select Advanced.

    2. Select CLI Configurations from the top menu.

    3. In the Search box, type fec. The vpn ipsec fec menu will appear.

    4. Click Create New. The create vpn ipsec fec mapping pane is displayed.

    5. In the Name box, type dc_fec.

    6. Under mappings, click Create New. The Create New vpn ipsec fec mappings pane is displayed.

    7. Set the following options, and click OK to create the mapping:

      base 8
      packet-loss-threshold 5
      redundant 2

      The mapping is created.

    8. Under mappings, click Create New again to create another mapping.
    9. Set the following options, and click OK to create the mapping:

      base5
      packet-loss-threshold10
      redundant2

    10. Click OK to save the object with two mappings.

    Enabling FEC for hub devices

    Enable FEC on both HUB VPN phase 1 interfaces.

    To enable FEC for hub devices:

    1. Go to Device Manager > Provisioning Templates > IPsec Tunnel.

    2. Double-click the Primary_secondary_dual_hub_HUB1_IPsec template to open it for editing.

    3. Select VPN1, and click Edit.

    4. Scroll down to and expand Advanced Options.

    5. Set the following options:

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    6. Click OK to save the changes.

    7. Repeat the same steps for VPN2.

    8. Repeat steps 2 through 7 for the Primary_secondary_dual_hub_HUB2_IPsec template.

    Enabling FEC on branch devices

    Enable FEC on both branch VPN tunnels.

    To enable FEC on branch devices:

    1. From IPsec Tunnel templates, double-click the Primary_secondary_dual_hub_BRANCH_IPsec template to open it for editing.

    2. Double-click HUB1-VPN1 to open it for editing.

    3. For FEC Health Check, enter HUB1_HC.

    4. Scroll down and expand Advanced Options.

    5. Set the following options, and click OK.

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    6. Repeat for HUB1-VPN2.

    7. Double-click HUB2-VPN1 to open it for editing.

    8. For FEC Health Check, enter HUB2_HC.

    9. Scroll down and expand Advanced Options.

    10. Set the following options and click OK:

      fec-mapping-profile dc_fec
      fec-egress enable
      rec-ingress enable

    11. Repeat for HUB2-VPN2.

    Creating policies and installing policy packages

    Create policies for the hub and branch devices for the custom application, and then install the policy packages to the devices.

    To create policies and install policy packages:
    1. Create a policy for the HUB policy package:
      1. Go to Policy & Object > Policy Packages > HUB > Firewall Policy, and click +Create New.
      2. Set the following options, and click OK.

        NameCustom App Policy
        Incoming InterfaceVPN1, VPN2
        Outgoing InterfaceLAN

        Pv4 Source Address

        Branch network

        Pv4 Destination Address

        Datacenter LAN1

        Service

        CustomApp-5000

        Action

        Accept

        Advanced Options

        fec enabled

      3. Move this policy under the SLA-HealthCheck policy.
    2. Create a policy for the branches policy package:
      1. Go to Policy & Object > Policy Packages > Branches > Firewall Policy and click +Create New.
      2. Set the following options, and click OK.

        NameCustom App Policy
        Incoming InterfaceLAN
        Outgoing Interface

        HUB1, HUB2

        Pv4 Source Address

        Branch network

        Pv4 Destination Address

        Datacenter LAN1

        Service

        CustomApp-5000

        Action

        Accept

        Advanced Options

        fec enabled

      3. Move this policy under the Health Check Access policy.
    3. Install both HUB and Branch policy packages.
    Previous
    Next