Policy example

Given a topology that has already been previously orchestrated using the SDWan Overlay, the following example demonstrates how to create overlay policies between two FortiGate sites in that topology using these steps:

Configure an overlay policy to allow traffic from the Datacenter LAN (10.1.100.0/24) to the Branch 1 LAN (10.1.1.0/24).
Test and verify connectivity from the Datacenter LAN to the Branch 1 LAN.
Test and verify connectivity from the Branch 1 LAN and the Datacenter LAN is not allowed by the overlay policy configured in Step 1.
Configure an overlay policy to allow traffic from the Branch 1 LAN (10.1.1.0/24) to the Datacenter LAN (10.1.100.0/24).
Test and verify connectivity from the Branch 1 LAN to the Datacenter LAN.

For granularity, overlay policies are destined for the source and destination specified only. Therefore, an overlay policy from site A crossing overlay networks to site B does not automatically allow traffic in the opposite direction from site B to site A. You must create a separate overlay policy for traffic in the opposite direction between sites.

To configure an overlay policy to allow traffic from the Datacenter LAN to the Branch 1 LAN:

Go to SDWan Overlay > Overlay policy.
Click Create.

Configure the policy as follows:

Name		DCport3-to-Br1port3
Source		Address
	Site	Datacenter
	Interface	port3 10.1.100.0/24
	Address	port3@Datacenter
Destination		Address
	Site	Branch-1
	Interface	port3 10.1.1.0/24
	Address	port3@Branch-1
Service		ALL
Service Group
Schedule/Schedule Group		Schedule
Schedule		always
Action		accept
Security Profiles
	AntiVirus	default
	Web Filter	default
	Application Control	default
	Intrusion Prevention	default
Logging Options
	Log Allowed Traffic	Enabled, All Sessions
	Generate Logs when Session Starts	Disabled
	Description	DC port3 to Br1 port3
Enable this policy		Enabled

Click OK.
In SDWan Overlay > Overlay policy:
1. Status is new. Right-click the policy, then click Save.
2. Status is unsynced. Right-click the policy, then click Apply.
3. Status is synced. The policy has been applied to the FortiGate devices in the specified sites.

To test and verify connectivity from the Datacenter LAN to the Branch 1 LAN:

Run these CLI commands on the Datacenter FortiGate:

# execute ping-options source <IP address in Datacenter LAN>
# execute ping <IP address in Branch 1 LAN>

Observe the following output:

Datacenter# execute ping-options source 10.1.100.1

Datacenter# execute ping 10.1.1.99
PING 10.1.1.99 (10.1.1.99): 56 data bytes
64 bytes from 10.1.1.99: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 10.1.1.99: icmp_seq=1 ttl=255 time=2.7 ms
64 bytes from 10.1.1.99: icmp_seq=2 ttl=255 time=1.2 ms
64 bytes from 10.1.1.99: icmp_seq=3 ttl=255 time=1.9 ms
64 bytes from 10.1.1.99: icmp_seq=4 ttl=255 time=0.6 ms

--- 10.1.1.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/1.4/2.7 ms

To test and verify connectivity from the Branch 1 LAN and the Datacenter LAN is not allowed by the overlay policy:

Run these CLI commands on the Branch 1 FortiGate:

# execute ping-options source <IP address in Branch 1 LAN>
# execute ping <IP address in Datacenter LAN>

Observe the following output:

Branch-1# execute ping-options source 10.1.1.99

Branch-1# execute ping 10.1.100.1
PING 10.1.100.1 (10.1.100.1): 56 data bytes

--- 10.1.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

To configure an overlay policy to allow traffic from the Branch 1 LAN to the Datacenter LAN:

Go to SDWan Overlay > Overlay policy.

Configure the policy as follows:

Name		Br1port3-to-DCport3
Source		Address
	Site	Branch-1
	Interface	port3 10.1.1.0/24
	Address	port3@Branch-1
Destination		Address
	Site	Datacenter
	Interface	port3 10.1.100.0/24
	Address	port3@Datacenter
Service		ALL
Service Group
Schedule/Schedule Group		Schedule
Schedule		always
Action		accept
Logging Options
	Log Allowed Traffic	Enabled, All Sessions
	Generate Logs when Session Starts	Disabled
	Description
Enable this policy		Enabled

Click OK.
In SDWan Overlay > Overlay policy:
1. Status is new. Right-click the policy, then click Save.
2. Status is unsynced. Right-click the policy, then click Apply.
3. Status is synced. The policy has been applied to the FortiGate devices in the specified sites.

To test and verify connectivity from the Branch 1 LAN to the Datacenter LAN:

Run these CLI commands on the Branch 1 FortiGate:

# execute ping-options source <IP address in Branch 1 LAN>
# execute ping <IP address in Datacenter LAN>

Observe the following output:

Branch-1# execute ping-options source 10.1.1.99

Branch-1# execute ping 10.1.100.1
PING 10.1.100.1 (10.1.100.1): 56 data bytes
64 bytes from 10.1.100.1: icmp_seq=0 ttl=254 time=50.6 ms
64 bytes from 10.1.100.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 10.1.100.1: icmp_seq=2 ttl=255 time=0.5 ms
64 bytes from 10.1.100.1: icmp_seq=3 ttl=255 time=0.7 ms
64 bytes from 10.1.100.1: icmp_seq=4 ttl=255 time=0.4 ms

--- 10.1.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/10.5/50.6 ms

Policy example

Configure an overlay policy to allow traffic from the Datacenter LAN (10.1.100.0/24) to the Branch 1 LAN (10.1.1.0/24).
Test and verify connectivity from the Datacenter LAN to the Branch 1 LAN.
Test and verify connectivity from the Branch 1 LAN and the Datacenter LAN is not allowed by the overlay policy configured in Step 1.
Configure an overlay policy to allow traffic from the Branch 1 LAN (10.1.1.0/24) to the Datacenter LAN (10.1.100.0/24).
Test and verify connectivity from the Branch 1 LAN to the Datacenter LAN.

To configure an overlay policy to allow traffic from the Datacenter LAN to the Branch 1 LAN:

Go to SDWan Overlay > Overlay policy.
Click Create.

Configure the policy as follows:

Name		DCport3-to-Br1port3
Source		Address
	Site	Datacenter
	Interface	port3 10.1.100.0/24
	Address	port3@Datacenter
Destination		Address
	Site	Branch-1
	Interface	port3 10.1.1.0/24
	Address	port3@Branch-1
Service		ALL
Service Group
Schedule/Schedule Group		Schedule
Schedule		always
Action		accept
Security Profiles
	AntiVirus	default
	Web Filter	default
	Application Control	default
	Intrusion Prevention	default
Logging Options
	Log Allowed Traffic	Enabled, All Sessions
	Generate Logs when Session Starts	Disabled
	Description	DC port3 to Br1 port3
Enable this policy		Enabled

Click OK.
In SDWan Overlay > Overlay policy:
1. Status is new. Right-click the policy, then click Save.
2. Status is unsynced. Right-click the policy, then click Apply.
3. Status is synced. The policy has been applied to the FortiGate devices in the specified sites.

To test and verify connectivity from the Datacenter LAN to the Branch 1 LAN:

Run these CLI commands on the Datacenter FortiGate:

# execute ping-options source <IP address in Datacenter LAN>
# execute ping <IP address in Branch 1 LAN>

Observe the following output:

Datacenter# execute ping-options source 10.1.100.1

Datacenter# execute ping 10.1.1.99
PING 10.1.1.99 (10.1.1.99): 56 data bytes
64 bytes from 10.1.1.99: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 10.1.1.99: icmp_seq=1 ttl=255 time=2.7 ms
64 bytes from 10.1.1.99: icmp_seq=2 ttl=255 time=1.2 ms
64 bytes from 10.1.1.99: icmp_seq=3 ttl=255 time=1.9 ms
64 bytes from 10.1.1.99: icmp_seq=4 ttl=255 time=0.6 ms

--- 10.1.1.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/1.4/2.7 ms

To test and verify connectivity from the Branch 1 LAN and the Datacenter LAN is not allowed by the overlay policy:

Run these CLI commands on the Branch 1 FortiGate:

# execute ping-options source <IP address in Branch 1 LAN>
# execute ping <IP address in Datacenter LAN>

Observe the following output:

Branch-1# execute ping-options source 10.1.1.99

Branch-1# execute ping 10.1.100.1
PING 10.1.100.1 (10.1.100.1): 56 data bytes

--- 10.1.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

To configure an overlay policy to allow traffic from the Branch 1 LAN to the Datacenter LAN:

Go to SDWan Overlay > Overlay policy.

Configure the policy as follows:

Name		Br1port3-to-DCport3
Source		Address
	Site	Branch-1
	Interface	port3 10.1.1.0/24
	Address	port3@Branch-1
Destination		Address
	Site	Datacenter
	Interface	port3 10.1.100.0/24
	Address	port3@Datacenter
Service		ALL
Service Group
Schedule/Schedule Group		Schedule
Schedule		always
Action		accept
Logging Options
	Log Allowed Traffic	Enabled, All Sessions
	Generate Logs when Session Starts	Disabled
	Description
Enable this policy		Enabled

Click OK.
In SDWan Overlay > Overlay policy:
1. Status is new. Right-click the policy, then click Save.
2. Status is unsynced. Right-click the policy, then click Apply.
3. Status is synced. The policy has been applied to the FortiGate devices in the specified sites.

To test and verify connectivity from the Branch 1 LAN to the Datacenter LAN:

Run these CLI commands on the Branch 1 FortiGate:

# execute ping-options source <IP address in Branch 1 LAN>
# execute ping <IP address in Datacenter LAN>

Observe the following output:

Branch-1# execute ping-options source 10.1.1.99

Branch-1# execute ping 10.1.100.1
PING 10.1.100.1 (10.1.100.1): 56 data bytes
64 bytes from 10.1.100.1: icmp_seq=0 ttl=254 time=50.6 ms
64 bytes from 10.1.100.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 10.1.100.1: icmp_seq=2 ttl=255 time=0.5 ms
64 bytes from 10.1.100.1: icmp_seq=3 ttl=255 time=0.7 ms
64 bytes from 10.1.100.1: icmp_seq=4 ttl=255 time=0.4 ms

--- 10.1.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/10.5/50.6 ms

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Policy example

Policy example

To configure an overlay policy to allow traffic from the Datacenter LAN to the Branch 1 LAN:

To test and verify connectivity from the Datacenter LAN to the Branch 1 LAN:

To test and verify connectivity from the Branch 1 LAN and the Datacenter LAN is not allowed by the overlay policy:

To configure an overlay policy to allow traffic from the Branch 1 LAN to the Datacenter LAN:

To test and verify connectivity from the Branch 1 LAN to the Datacenter LAN:

Policy example

Policy example

To configure an overlay policy to allow traffic from the Datacenter LAN to the Branch 1 LAN:

To test and verify connectivity from the Datacenter LAN to the Branch 1 LAN: