SD-WAN with MPLS VPN - sanity check

jtbis · March 7, 2025, 10:41pm

Just hoping for a sanity check on some upgrades I am planning for a network I inherited. Currently every branch (about 30 of them) has a Cisco ISR connected to a SonicWall functioning as an inline firewall. We have an ordinary business-grade broadband line and a L2 MPLS VPN (connected to the Cisco) at every site. Traffic from/to company endpoints is routed through the MPLS to the HQ where we have a fancy SIEM/IDS/IPS and a DIA line (as well as a LAN segment with some services). I want to ditch Cisco and SonicWall and replace them with a Fortigate.

Current branch setup:

Cisco ISR <> SonicWall <> WAN
    ^
    v
MPLS VPN to HQ

Proposed setup:

Fortigate <> WAN
      ^
      v
MPLS VPN to HQ

My thought is to create two SD-WAN zones, one with the local WAN interface and another with the MPLS interface. That way I can set up separate firewall policy for each.

I’ll also have the following SD-WAN rules for each situation:

Corporate LAN: "manual" mode
    member1: MPLS to HQ
    member2 (only selected if we can't ping out MPLS): WAN

VOIP: "Best Quality" mode
    member1: WAN
    member2: MPLS to HQ

Guest/BYOD nets: "manual mode"
    member1 (always selected): WAN

There will also be OSPF coming over the MPLS (first hop can be a static route)

My main question (assuming I’m not way off track) is where does the IPSEC VPN for backup fit into all of this? Should it be its own SD-WAN Zone or a member of the MPLS zone?

Also, any considerations I should be aware of are greatly appreciated.

HallFS · March 7, 2025, 10:41pm

The backup VPN IPSec interface tunnel should stay in the same zone where you added the MPLS interface to. Then you can create your SD-WAN rules to define what application or sources/destinations IPs should use each of those interfaces, what SLAs are acceptable, what interface is your preferred based on source/destination…

Natural-Nectarine-56 · March 7, 2025, 10:41pm

So we have a similar set up as what you’re referencing. So in this example, lets say WAN1 is your standard non-mpls internet connection.

Under VPN->IPSec tunnels, there is a VPN tunnel to the FG at our data center. The VPN tunnel is bound to the WAN1 interface.

If you look at Network → Interfaces, you’ll see that WAN1 has a Tunnel Interface for the ADVPN tunnel mentioned above.

Network → Interfaces: Create a Zone “ADVPN” which has the ADVPN tunnel interfaces as members.

Use the zone in your policies

Make sense?

It is also worth noting that if an interface is referenced by a routing or firewall policy, you cannot add it to the SDWAN zones. It’s best to do that first rather than configuring everything and then finding out you have to unwind it all. Additionally, an interface can only be a member of one SDWAN zone. As soon as you add it to one, it will remove it from the other.