Hello All,
i have one question i have plane to bring FortiGate NG firewall to the production network and install it at the top of my network and Meraki MX will be behind of the FortiGate.
my question is i have two remote brunches offices which they are also using the same mx model and I have configured Meraki Auto VPN tunnel between main office and remote to brunch offices.
if I bring FortiGate firewall as well to my network i know i can create non meraki vpn tunnel but I want to route internet traffic of my two brunch offices from my main office i mean i want to route WAN traffic trough FortiGate firewall is this possible with Meraki?.
if possible what is the solution for this because our company don't have budget to purchase FortiGate firewall for each remote site as well.
I want to purchase one FortiGate firewall and route the remote brunch office WAN traffic through FortiGate in use the same public.
I am looking forward for your nice comments.
I am not 100% sure that I understand you correctly. But you can do the following which will work:
my each brunch have its own public now every one going direct to the internet not through main office so i want to control the remote office subnets to the internet from my main office from fortigate firewall..
currenlty the network setup is like this that each remote site have one public Ip address and the users also passing to the internet directly only for accessing the remote subnets from main office i create site to site vpn so for now i want all remote sites should not go directly to the internet first traffic should come to the main office and based on FortiGate firewall i should allow or deny traffic.
That is exactly what is possible.
how if i configure hub and spoke VPN in the case of hub in spoke all the brunch will use the main office public IP but i am not sure how will be the internet speed for the end users.
Well, before deciding for a design, you should make sure that it matches your need. With your central design the spoke traffic to the internet will run through your internet pipe twice.
Once you're done in the brunch offices, do you also go to the dinner office? 😜
In all seriousness, you can easily use the MX at the hub in concentrator mode and even use BGP with your Fortigate to route your internal subnets to it if you have some servers there.
The choice to also do full mesh is just a little checkbox on your spokes (the brunch offices) and then you can apply those policies on your Fortigate also. However to do that make sure you have alot of upstream bandwidth in your main office since all internet traffic will be going from the internet to the main office, back out the main office towards your brunch offices.
Take a look at this.
https://freddejonge.nl/fortinet-to-meraki-site-2-site-vpn/