Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating site to site VPN with Fortigate Firewall

Abdulwasi
Just browsing
‎Mar 29 2023 9:01 AM
‎Mar 29 2023 9:01 AM

Creating site to site VPN with Fortigate Firewall

Hello All,

 

i have one question i have plane to bring FortiGate NG firewall to the production network and install it at the top of my network and Meraki MX will be behind of the FortiGate.

 

my question is i have two remote brunches offices which they are also using the same mx model and I have configured Meraki Auto VPN tunnel between main office and remote to brunch offices.

 

if I bring FortiGate firewall as well to my network i know i can create non meraki vpn tunnel but I want to route internet traffic of my two brunch offices from my main office i mean i want to route WAN traffic trough FortiGate firewall is this possible with Meraki?.

 

if possible what is the solution for this because our company don't have budget to purchase FortiGate firewall for each remote site as well.

 

I want to purchase one FortiGate firewall and route the remote brunch office WAN traffic through FortiGate in use the same public.

 

I am looking forward for your nice comments.

 

0 Kudos
Subscribe
7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 29 2023 9:18 AM
‎Mar 29 2023 9:18 AM

I am not 100% sure that I understand you correctly. But you can do the following which will work:

  • The Fortigate is your main firewall that connects to the internet
  • The HQ MX is placed in Concentrator mode in a FG DMZ
  • The HQ MX is used as a Default route for your branches
  • The Traffic from the branches will be tunnel to the MX, leave the same MX interface and is routed back to the FG interface. If it is internal traffic, FG will route it internal, if it is Internet traffic, the FG will send it to the internet.
Subscribe
Abdulwasi
Just browsing
‎Mar 29 2023 10:32 AM
‎Mar 29 2023 10:32 AM

my each brunch have its own public now every one going direct to the internet not through main office so i want to control the remote office subnets to the internet from my main office from fortigate firewall..

 

currenlty the network setup is like this that each remote site have one public Ip address and the users also passing to the internet directly only for accessing the remote subnets from main office i create site to site vpn so for now i want all remote sites should not go directly to the internet first traffic should come to the main office and based on FortiGate firewall i should allow or deny traffic.

 

 

 

0 Kudos
Subscribe
In response to Abdulwasi
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 29 2023 10:44 AM
‎Mar 29 2023 10:44 AM

That is exactly what is possible.

0 Kudos
Subscribe
Abdulwasi
Just browsing
‎Mar 29 2023 10:46 AM
‎Mar 29 2023 10:46 AM

how if i configure hub and spoke VPN in the case of hub in spoke all the brunch will use the main office public IP but i am not sure how will be the internet speed for the end users.

0 Kudos
Subscribe
In response to Abdulwasi
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 29 2023 11:15 AM
‎Mar 29 2023 11:15 AM

Well, before deciding for a design, you should make sure that it matches your need. With your central design the spoke traffic to the internet will run through your internet pipe twice.

0 Kudos
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Mar 29 2023 11:31 AM
‎Mar 29 2023 11:31 AM

Once you're done in the brunch offices, do you also go to the dinner office? 😜
In all seriousness, you can easily use the MX at the hub in concentrator mode and even use BGP with your Fortigate to route your internal subnets to it if you have some servers there.
The choice to also do full mesh is just a little checkbox on your spokes (the brunch offices) and then you can apply those policies on your Fortigate also.  However to do that make sure you have alot of upstream bandwidth in your main office since all internet traffic will be going from the internet to the main office, back out the main office towards your brunch offices.

Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 29 2023 3:08 PM
‎Mar 29 2023 3:08 PM

Take a look at this.

 

https://freddejonge.nl/fortinet-to-meraki-site-2-site-vpn/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.