Redundancy question between ASA and Fortigate

Andy White · ‎09-11-2013

Hello,

We have a WAN link between 2 of our offices (MPLS), but I want to put in a redundant link as this remote office has a 20mb Internet pipe via their Fortigate firewall, we have a 100mb Internet pipe.

We have an ASA and I have created multiple site-to-site VPNs on that before and on Fortigates too. Currently both of these firewalls provide the routing tables for both offices including the routes for this WAN link, if I create a VPN between both offices what will happen, will the WAN link be uneffected as we use static routes to get between these 2 offices via the firewalls routing tables or will the VPN try and take over? I'm not sure if static routes take preference over a VPN as I never have to add routes on our ASA for a site-to-site.

I don't think I can do anything dynamic, but should the WAN link fail I was thinking if I get the VPN established before hand and just remove the static routes if it fails then the traffic should go over the VPN instead?

Thanks

Kelvin Willacey · ‎09-11-2013

The static routes will always take preference so traffic will always be sent over the WAN. If the WAN link fails you will then have to remove the static routes in order to have traffic flow over the VPN. You should be able to do something dynamic by running a routing protocol such as OSPF or RIP over the WAN link as I assume the Fortigate should be able to support these protocols.

paolo bevilacqua · ‎09-11-2013

Wrong forum, post in "Security - Firewalling". You can move your posting using the Actions panel on the right.