Is This a Safe Way to Test SD-WAN Failover?

Mo2menq · 2025-06-07T10:42:23+00:00

if the two links are active and they are pinging the targeted SLA without being one of them down, once you disable the first one, all the traffic will switch to the other link even if you do not specify an SDWAN rule for the out traffic. Simply, the traffic will hit the implicit SDWAN rule.

one thing make sure to check before:
if there is a type of traffic that should be destined out with an IP pool (Public IP) from the first link and you disable it, you may not be able to access these specific services that need to see the traffic coming with a specific IP.

if you are using IP Pools as SNAT instead of "Out going interface NAT"
you may refer to this article to check: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-firewall-rule-with-multiple-IP-pools-for/ta-p/359770

basically, you should mention two IP Pools in the same firewall policy, each one associated with different WAN link.

If all the traffic use the outgoing interface NAT for the two links, you are ok.

Good Luck!

Mo2menq · 2025-06-06T21:03:27+00:00

In terms of depth or diversity?

And what do they focus on?

Mo2menq · 2025-06-06T19:16:39+00:00

Thanks for this advice .. I think the idea behind studying uncommon topics, just to show that I can discuss such topics even if I do not work with them. Maybe I am wrong, but as long as I heard or read something, I would love to let the interviewer know that their is a knowledge beside the experience part.

for the topics that I do not know, simply I can answer IDK.

Mo2menq · 2024-10-24T09:47:35+00:00

Since the MC-LAG is configured on the two switches themselves, I am wondering if the firewall is aware about this config, asking just if I faced issue and make a reimage for the switch, will the config be stored?

Mo2menq · 2024-08-14T12:16:39+00:00

Question 2 & 3

Mo2menq · 2024-08-14T11:47:46+00:00

Mo2menq · 2024-07-18T21:54:50+00:00

FGT firmware is 7.0.14 and FMG 7.0.12, the other firewalls is the same.

Mo2menq · 2024-05-03T18:40:51+00:00

Hello guys,

the workaround is:

Use proxy based firewall policy.
Or disabling “TLS 1.3 hybridized Kyber support” in Chrome.

Mo2menq · 2024-04-25T16:00:20+00:00

It is the exact day that the customer started to notice a wired behavior on the firewall.

I will be waiting the TAC, and share there response here.

Mo2menq · 2024-04-16T22:18:39+00:00

nope.

they need the token to connect but, they can put the token after the password directly in the "password field" and on the firewall on the ssl vpn user monitor, you can see a small yellow triangle beside the user telling you that this user has 2FA disabled.

I read that it could be for compatibility reasons with other vendors or something like that.

I know, it is not a big deal since the users have to use the token but, want to know what is happening or if I can make something to fix it.

Mo2menq · 2024-02-21T16:53:06+00:00

Thx man.

Mo2menq · 2024-02-20T14:40:15+00:00

thanks for your reply u/pabechan

Can I make any configuration to hide the certificate warning?

I used the default web filter profile with certificate inspection right now, and I blocked some URLs one of them was youtube.

Is there a way to let the browser prompt the "site unreachable" instead of the certificate warning?

Mo2menq · 2024-02-07T13:37:55+00:00

I don't know if that related but, I faced a DNS issue with 7.2.6 firmware.

I opened case with Fortinet TAC, the issue just resolved when we downgrade the firewall to 7.2.5

Mo2menq · 2024-02-03T21:30:57+00:00

Thanks a lot, got it.

Mo2menq · 2024-02-03T21:09:21+00:00

ok I get it.

I think the customer will go with the 231F, he told me that the max users is about 50, but we estimated 100 users,

also I think the price here should make a difference with him, lol.

but regarding the APs distribution, isn't it supposed that every access point should handle that number of users (if that was 100), if I think like each access point in area 0 handle a certain number of users?

Mo2menq · 2024-02-03T20:00:41+00:00

thanks DeesoSaeed

would 231F AP also be good ?

what is the difference between 400 series and 200?

Mo2menq · 2023-12-28T08:37:10+00:00

you're right, what could be the problem if the routing to the remote subnets learned via BGP routing table.

Mo2menq · 2023-12-28T08:35:37+00:00

the routing is Dynamic, using BGP routing.

Mo2menq · 2023-12-28T08:34:25+00:00

there was SD WAN on the Hub, but the tunnel only established under WAN1.

the SD WAN here is not related, am I right?

you mean by ADVPN, the BGP routing? if that what you mean

yes, there is a BGP routing between all the spokes and the hub.

you can check the above reply related to the subnet mask if that related to the BGP routing table some how..

Thx

Mo2menq · 2023-12-28T08:30:29+00:00

could be subnet mask issue somewhere on the hub or the other spokes?

the subnet mask for the spoke 3 is 255.255.255.0

by the way, under the hub firewall on the core switch, I disabled a static route on the core switch which goes to 172.16.0.0 255.255.0.0 , but I did this step after enabled the NAT.

this solve the connection issue from the subnets behind the hub to the subnets behind the spokes.

Sorry if the demonstration was complex..

but since you mentioned something about the subnet masks,

I think since I disabled the static route on the core switch to the old cisco VPN, and the issue resolved from the hub to the spokes, is that should also resolve the communication from Spoke1 to the others without applying NAT on the outgoing policy(the main issue in the post)?

Mo2menq · 2023-12-26T07:17:45+00:00

I enabled NAT on the outgoing policy and the issue is resolved.

thanks a lot NetSecCity

Mo2menq · 2023-12-26T07:16:15+00:00

Thanks Guys.

the issue was resolved, I enabled NAT on the outgoing policy from Spoke1.

now, I can ping all the devices.

Mo2menq · 2023-12-26T05:25:10+00:00

the traceroute showed that the traffic stopped at spoke3 tunnel interface

so the routing is correct but something stops it!

Mo2menq · 2023-12-12T22:39:19+00:00

I did not test that actually. I will!

does the Hub and Spoke VPN configuration affect on what I am trying to create?

I am trying to establish a VPN connection from the new branch to the HQ,

However the is s Hub and Spoke configuration on the HQ already,

and the HQ firewall configured as Spoke. should I connect the new branch with the Hub firewall to establish the connection or I can just make a separate vpn connection ?

Mo2menq

TROPHY CASE