Hi, 

1) How many links required between SD-WAN A and B routers to achieve the HA and what config to be followed?

sdwan edges don't need link between them (except if you need TLOC Extension but by your picture you have all links to your all prividers from both cEdges)

2) What config to be followed between firewalls and SD-WAN routers and send the traffic outside of the facility? 

If you want to use it as active/standby (cEdges and FWs) that you can configure vrrp (over BDI) to LAN and chose master router 

recently we opened a branch with configuration like this

Thanks

quick question: what is mean by BDI over VRRP over LAN? We have static route from core to firewall Then firewall is sending traffic to sd wan. How we will setup BDI in fortigate firewall?

We use bdi on sdwan side, like

interface GigabitEthernet0/1/6
 description -I- ### LAN
 no ip address
 load-interval 30
 no shutdown
 negotiation auto
 service instance 10 ethernet
  encapsulation untagged
  bridge-domain 10

interface GigabitEthernet0/1/7
 description -I- ### LAN
 no ip address
 load-interval 30
 no shutdown
 negotiation auto
 service instance 10 ethernet
  encapsulation untagged
  bridge-domain 10

interface BDI10
 description -L3- ### BDI LAN
 ip address 192.168.100.2 255.255.255.0
 Vrrp 1 ip 192.168.100.1

• 8300-01 (Gi0/1/6) to FW-01 (eth1)
• 8300-01 (Gi0/1/7) to FW-02 (eth1)

And

• 8300-02 (Gi0/1/6) to FW-01 (eth2)
• 8300-02 (Gi0/1/7) to FW-02 (eth2)

I prefer full physical connection between devices but you can use lacp between sdwan and fw or just one link like 

• 8300-01 (Gi0/1/6) to FW-01 (eth1)
• 8300-02 (Gi0/1/6) to FW-02 (eth1)

Our FW is cisco fpr1150 and there just static route to sdwan

0.0.0.0/0 via 192.168.100.1

Thanks for the brief reply.

if We have one connection only between router and firewall and there is no link between routers, how vrrp on cisco router will work here? 

Yes you are right, for only one connection you need a switch between FW and sdwan or using dinamic routing (ospf) and for this situation you need link betwen sdwan cEdges

Thanks again.

last question: if we have connection from sd wan to both firewall like your design, how vrrp work in this case on sd wan? I am not able to imagine the case since at a time, one firewall will be sending traffic and other will be stanby. From active firewall, one link will go to router 1 and another to router 2. On sd wan router 1, both ports will send traffic to both firewall and traffic from standby firewall will get ignored. Please clear my understanding.

If the fws are running in active standby mode, then only the active node is serving traffic, just like sdwan, there is only one vrrp master and it is an active node. The active fw will send traffic to the active edge and back. In my scheme, sdwans communicate with each other via fw ports that are on the same vlan

Yes, This really make sense for me to have connection to each router from firewall and assign those ports on same vlan at firewall side so both routers can talk each other for vrrp.

since on active router, we have one connection to standby firewall, will there be a situation that active sd wann will send traffic towards the standby firewall?

how active router will come to know on which physical ports traffic to be sent?

Sdwan can see only ip from active FW, it's like vrrp on the FW when it work active/standby so traffic will send to active FW, if you perform failover than ip will move from active FW to standby FW and sdwan started to see ip from port which connect to standby FW

Thanks.

i was thinking to have direct cable between router 1 and 2 for session sync. If this cable is not there, can session sync can happen via sd controller from the cloud?

We are using FortiGate firewall. I am not sure how BDI will work on them. 

DO we need a connection from each firewall to both routers? How will this benefit here?