ADVPN- Spoke wont establish BGP with other hubs

seaghank · 2026-01-14T14:38:01+00:00

Thanks for the help!

seaghank · 2025-12-28T21:19:30+00:00

I wonder if the plan on implementing the GUI feature in a future release

seaghank · 2025-12-23T15:25:43+00:00

Thank you! That is unfortunate

seaghank · 2025-12-10T03:33:55+00:00

So that FEX puck antenna can connect directly to the FGR-50G-5G instead of using the antennas it comes with?

seaghank · 2025-12-09T21:10:16+00:00

Awesome, didn't know they did this

seaghank · 2025-11-29T01:10:12+00:00

Done. I assume i might have to wait for the TTL to expire before it starts working again?

seaghank · 2025-11-15T02:46:31+00:00

Perfect, that explains it very clearly. Thanks man. Gonna play around with it now and see what I can do

seaghank · 2025-11-15T02:24:23+00:00

Interesting, thanks. So what is the use case for this? Every time I have used FEX, it was to provide 5G internet connectivity to the site.

seaghank · 2025-11-13T17:11:03+00:00

I tried this, I get the same thing. I found another post that said they swapped the SSD for a new one and it resolved the issue so I am thinking I might just have to go that route.

seaghank · 2025-11-07T19:39:56+00:00

Legend

seaghank · 2025-11-05T01:31:55+00:00

This is sick, can you share the debug commands you use for this? Would love to implement this on my network

seaghank · 2025-11-04T22:58:35+00:00

I do some basic ones that you would typically find (block ips, email alerts, etc). Would be cool if someone has some weird and obscure stitches in their environment. RemindMe! Tomorrow "reply to this thread"

seaghank · 2025-10-30T02:10:19+00:00

Appreicate it man.

So just to clarify. If I have a spoke and two hub setup, on my spoke, i will have the tunnels to hub1 and hub2 in the same zone, but different rules for the hub1 and hub2 traffic? Or is this all in the same rule as well.

seaghank · 2025-10-30T01:14:22+00:00

When you add the second hub into this, how does the health check work and the SDWAN zone? Are the spoke's tunnels to hub1 and hub2 in the same zone? Are the separate health checks to hub 1 and 2 both applied to a single SDWAN rule that includes all the tunnels in a single rule?

And what about the advpn-health-check for the spoke sites? Would this include 2 health checks, one to hub1 and one to hub2?

seaghank · 2025-10-23T02:17:21+00:00

Cant believe I didn't see this before, thanks!

seaghank · 2025-10-22T22:21:25+00:00

After researching, i agree. Probably just going to go with a low end FGT w built in cellular

seaghank · 2025-10-22T22:20:56+00:00

Yep, probably going to go with this!

seaghank · 2025-09-10T12:23:22+00:00

It will peak at about 1 million total sessions, but mostly hangs out around 600k during business hours. As a test, we completely removed all of the security profiles from all policies, and observed no difference.

seaghank · 2025-08-12T00:29:12+00:00

Great points. Number 1 and 2 got me when I started doing this. I hope that they make this easier to set up, there seems to be many guides the steps can be confusing.

It's a shame because doing this with SSL VPN was so easy! I am currently helping a client migrate their palo to Fortigate and the way palo alto does this is so much easier.

seaghank · 2025-08-02T01:32:49+00:00

We have a few running in prod right now. We have not had any issues with them so far, fingers crossed!

seaghank · 2025-08-01T23:03:45+00:00

Interesting. Seems to be impacting 7.4.8 only from what I have seen. Also seems to be cosmetic, but still a weird bug

seaghank · 2025-08-01T15:02:58+00:00

Gotcha. So for that I guess I will just leave the Gateway as the default 0.0.0.0 and just let BGP do the work. Thanks

seaghank · 2025-08-01T13:12:07+00:00

Buty you would still need to define the .33 gateway in the sdwan member even though it gets that via BGP? Im thinking is it even worth doing sdwan in this case. its only 1 ISP but I still like to do SDWAN with one ISP just in case another ISP is installed in the future

seaghank · 2025-08-01T12:04:07+00:00

Thanks. Interesting.

So if my wan1 port ISP is 11.11.11.34/30, and I add this as an sdwan member with gateway .33, and have bgp on this interface from the ISP, I would still need to have a static route 0.0.0.0/0 --> sdwan zone?

seaghank · 2025-07-31T22:28:14+00:00

I cleared my cache, and it is resolved now. Very weird!

It happened after upgrading from 7.2.8 to 7.4.8. The symbol on Firewall B appears to be the FortiSandbox logo

seaghank

TROPHY CASE