วีดีโอ

Hi Chris, I understand what you mean, and you make a valid point. In that context BGP has many capabilities that overlap with those of SDWAN, but it’s also necessary to note they’re used for different specific purposes. For the most part, they’re used together.

ow and keep making these videos !!!!

@djpsychic , You make 2 very valid points…I also feel like proxy arp should be a standalone topic 🤔

I’m glad you like the video and appreciate the feedback.

@@casalosa hey there, both methods are correct, even “100 100 100” vs “100 100 100 100” would work, the idea is just to make the as-path longer and less favourable

Hey Kuda On your ssl settings, confirm which port your Fortigate is listening on, then check if the security group that your WAN ENI belongs to has that port allowed.

This is a most common issue, let me know either way..

@@staticroute Hi Sir, Thank you very much for reaching back, I appreciate it. I am checking on the above and will revert back shortly.

Hi Sir, it worked like a charm, Thank you very much.

Now I have one question, on my interfaces, for this to work, do I need to configure my LAN interface with dhcp like how we normally do it onprem and also do I need to change the role for my public subnet interface to WAN?

Hey Gavin, it’s just 3 Cisco routers sharing routes using OSPF between themselves, the other one at the bottom is Out of band management…basically my home network so I can connect using GUI, going forward, I’ll zip and share all configs to the labs

@@staticroute Thank you very much!

hey there, unfortunately up until now I don't keep the configs once I'm done with the video. However, I will be releasing more videos focussed on advanced routing with Cisco routers. But going forward I will upload to Github all config files :-D

Hey friend, apart from the fact that your overlay technologies will always require for underlay to have valid routes to the destinations, in SDWAN, a member that does not have a valid route to the destination will be ignored by SDWAN. As it happens I think it’s time to review and do a new video on the topic, I’ll drop you a message to let you know when it’s ready.

Hi there, excellent question, thank you.... check this out: docs.fortinet.com/document/fortigate/7.4.0/new-features/670140/multiple-interface-monitoring-for-ipsec-7-4-1

@@staticroute Thanks 🙌

short answer....for home use you're better of with a free enterprise-grade firewall that stays up-to-date with threat prevention, antimalware, etc like Sophos XG, check that out...

thank you very much ...

thank you, there are certainly more videos coming up in the near future!!

It’s really hard to work with Fortigates because of licensing limitations, I don’t have licenses either. The images work for a short time, then they stop working for no reason 😃

You should try with just NAT traversal and use outside addresses, I think port forwarding might break your VPN

thank you...and yes I'm certainly planning on it, plus there are several ways to achieve that. I will be putting together a lab in the near future on this topic

@@juan5392 most certainly..! Thank you.

This config is not as straight as one would hope, but the spokes do use their hostname/local-id as username and the PSK as the password. It' not a simple username|password combination..check it here: docs.fortinet.com/document/fortigate/7.4.4/administration-guide/6896/fortigate-as-dialup-client

That should be possible, when you enter into "config neighbour" BGP hierarchy, you are able to specify interface to associate with BGP as well as update source. I haven't done this type of deployment myself and I won't be able to lab it up anytime soon because I deleted this lab...annoying Fortinet license expiry issue, please give it a shot and let me know...

Yeah I think I'll try to lab it at somepoint. Maybe it's more for larger networks/mssp's and not really an issue for us. I was just thinking that since i'm doing greenfield advpn/bgp setup would be better to do it with loopback from the start and make it more futureproof. Also I was looking at the 7.4 docs and there are some new features like active dynamic BGP neighbor triggered by ADVPN shortcut. I hope you can do more videos in the future👍👍

To my knowledge any Fortigate with hardware acceleration chipset can offload IPSec unless disabled. ADVPN just has an additional extension and should still offload to NPx…

Maybe someone knows more about this and can show us with hardware 300x hardware…

@@rjnasr8078 😬 hey bro, to be honest, I’m not yet loyal to either one of them, but I want to give EVE a chance for a while…

@@staticroute I had a lot of issues with GNS3 and it was very time consuming. So far eve-ng seems to be smoother.

​​⁠I noticed the same thing but both on EVE and GNS3, in my case configs that works one moment stop working for no reason, turns out it was related to device license status, if it turns to ‘invalid’, then all hell breaks loose…be on the lookout for that

@@staticroute I thought I sent out a response to this ages ago. Yes I also had some weird stuff happening and have to start from scratch. Hope you're well.

Hey there, you're probably looking for something like ADVPN, I'm uploading a video on that very topic right now, should publish in a few hours. ADVPN improves on Dialup VPNs by enabling spokes to make on-demand connections to each other therefore literally achieving "full-mesh". In the video, I setup BGP with Hub as route reflector, in the case of OSPF, the config is a tiny bit different...please check it out, I'd be interested to know if it's what you're looking for.

@@staticroute Finally i could fix it, no ADVPN needed. Well on the HUB, Phase2 Selectors is Local and Remote 0.0.0.0 0.0.0.0 and i had to delete static routes toward the branches, cause Only if the Interface Name in the routes is with "_0" or "_1" etc. it knows to which tunnel the traffic needs to go, if there is a static route on the Hub toward the branches the interface in the route not has "_0" in it, so it can`t know which peer it should take On the Branches, the Phase2 Selector is local the local Subnets and Remote is also just 0.0.0.0 0.0.0.0, cause Fortinet can handle that.

I will certainly look into it shortly...thank you ..

Hey Lorenzo, the big idea with this lab was eBGP, weight doesn't get exported out to eBGP peers, it doesn't even get exported to local peers within the AS because it's locally significant to the router. Unlike LocalPref, which can atleast propagate within the AS. I'm actually going to post a follow up video on BGP soon based on a lot of interest I'm seeing on this topic...I hope I've answered you..?

@@staticroute You definitely have, thank you - looking forward to that next video!

Thank you

I think of the loopback interface the same as VLAN interface,they’re both logical interfaces

Hey Thiago, were you satisfied with the answer?

@@staticroute He ment how it's pingable and it private ip address, have you configure VIP for LOOPback interface to be reachable!!

Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?

@@staticroute seems particularly high in this video but I'd prefer none at all.

Better pls proceed without background music

Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼

Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer

you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video

@@staticroute Thank you

please create one sir ​@@staticroute