Creating an SD-WAN overlay template

This section describes how to use the SD-WAN overlay template to configure the overlay network.

The SD-WAN overlay template supports metafields for each input box that displays a magnifying glass. For more information, see the FortiManager 7.2 Administration Guide.

To create an SD-WAN overlay template:

1. In FortiManager, go to Device Manager > Provisioning Templates > SD-WAN Overlay Templates.
2. Click Create New. The Create New SD-WAN Overlay Template dialog box is displayed.
3. Enter a name and description for the template, and click OK.

   

   The Region Settings pane is displayed.

4. Set the region settings:
   1. Select Dual Hub (Primary & Primary).

      

   2. Expand Advanced, and modify the default IP address scheme for loopback and overlay networks, BGP-AS number, and to enable AD-VPN as desired.

      Ensure that you use the same BGP-AS Number as the following step: Deploying FortiGate NVAs in vWAN hub.

      Ensure the Overlay Network is unique and does not conflict with the existing subnets.

      

   3. Click Next.The Role Assignment pane is displayed.
5. Set the role assignment:
   1. Set Primary HUB to demovwan-k3q3jr36urmi6000000.

      Ensure that you select the FortiGate NVA devices as the primary and secondary hubs.

   2. Set Primary HUB to demovwan-k3q3jr36urmi6000001.
   3. Set Device Group Assignment to Branches.

      Branch FortiGates must be added to a device group, even if the device group contains only one FortiGate, to be selected in the wizard. See Adding FortiGate branch devices to device groups.

      

   4. Click Next. The Network Configuration pane is displayed.
6. Set the network configuration for the primary hub device (demovwan-k3q3jr36urmi6000000):
   1. Under Primary HUB, set WAN Underlay 1 to port1.
   2. Select Override IP, and specify 52.161.71.122, which is the public IP address of Azure FGT 1 (demovwan-k3q3jr36urmi6000000).

      The override IP address is the public IP address of the device name in the Primary Hub field. You can obtain the IP addresses from Device Manager > Device & Groups pane.

   3. Set Network Advertisement to Static.

      

   When entering the port name, it is case sensitive and must match the port as written on the FortiGate exactly. Select Private Link if the port is on a private circuit, and you do not want to create an overlay network utilizing this link. Select Override IP if you want to manually input an IP address that remote branches will connect to. This is commonly used in public cloud providers where interfaces have private IP address or other NAT’d environments.

7. Set the network configuration for the second primary hub device (demovwan-k3q3jr36urmi6000001):
   1. Under Primary HUB, set WAN Underlay 1 to port1.
   2. Select Override IP, and specify 13.78.141.94, which is the public IP address of Azure FGT 2 (demovwan-k3q3jr36urmi6000001).
   3. Set Network Advertisement to Static.
8. Set the network configuration for the branch device:
   1. Under Branch, set WAN Underlay 1 to port1.
   2. Set Network Advertisement to Connected, and select port2.

      

      The network advertisement interface will be advertised to the rest of the SD-WAN region. In this example, port2 is our LAN interface for each branch, and so will advertise the branch’s LAN subnet.

9. Set the SD-WAN template options:
   1. Enable Add Overlay Objects to SD-WAN Template.
   2. In the list, click Create New to create a new SD-WAN template with default settings named Branch.

      No configuration of the template is needed at this time. In this example, the SD-WAN template is named SDwan-Branch.

   3. Enable Add Overlay Interfaces and Zones.
   4. Enable Add Healthcheck Servers for Each Hub as Performance SLA.

      

   5. Click Next.The Summary pane is displayed.

   

10. Click Finish to save the template.