Meraki

Community

Considerations when introducing Fortinet Fortigate into a MX dominated WAN.

Solved
sfalloon
Here to help
‎Feb 17 2020 7:59 AM
‎Feb 17 2020 7:59 AM

Considerations when introducing Fortinet Fortigate into a MX dominated WAN.

A client wants to leverage previously purchased equipment (Fortigate). A branch is to come online and the current plan is to use the existing FortiGate as the WAN edge device which will link to HO and possibly the other branches. Are there any preliminary considerations I should look into for such a deployment?

0 Kudos
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal
‎Feb 17 2020 1:45 PM
‎Feb 17 2020 1:45 PM

Are you looking to use the Fortigate as the edge of one spoke, the edge of a DC, or as a hub?

 

  1. spoke - create a site to site VPN to the MX in the main site, should be okay as long as you don't need access to/from the other sites etc. due to routing issues.
  2. edge of a DC - if there is an MX as a concentrator there and it is just an internet edge then this should be fine.
  3. hub - just don't even think about it, you lose all the benefits of autoVPN/SD-WAN

So, unless you are following 2, or can accept the limitations of 1, it isn't the best idea

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

4 Replies 4
cmr
Kind of a big deal
Kind of a big deal
‎Feb 17 2020 1:45 PM
‎Feb 17 2020 1:45 PM

Are you looking to use the Fortigate as the edge of one spoke, the edge of a DC, or as a hub?

 

  1. spoke - create a site to site VPN to the MX in the main site, should be okay as long as you don't need access to/from the other sites etc. due to routing issues.
  2. edge of a DC - if there is an MX as a concentrator there and it is just an internet edge then this should be fine.
  3. hub - just don't even think about it, you lose all the benefits of autoVPN/SD-WAN

So, unless you are following 2, or can accept the limitations of 1, it isn't the best idea

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
sfalloon
Here to help
‎Feb 19 2020 8:25 AM
‎Feb 19 2020 8:25 AM

Great thanks @cmr, those points are exactly the concerns I have. At the moment the Hub is the MX, the FortiGate would take on the role of spoke in the testing phase.
0 Kudos
In response to cmr
sfalloon
Here to help
‎Feb 19 2020 9:05 AM
‎Feb 19 2020 9:05 AM

When considering the site-to-site VPN configuration, how do I tell the local networks on the Meraki to utilize the VPN link to connect to the non-Meraki local networks/resources?
0 Kudos
In response to sfalloon
cmr
Kind of a big deal
Kind of a big deal
‎Feb 19 2020 9:16 AM
‎Feb 19 2020 9:16 AM

I'm pretty sure that you cannot advertise non Meraki VPN networks to Meraki VPN peers using the same MX. You need two and to use static routes. If you simply mean LANs on the MX, as long as their DG is the MX then they should find the non Meraki VPN subnets.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.