Fortinet black logo

SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
6.4.0
7.2.0
7.0.0
6.4.0

Model devices

Model devices

By comparing to the traditional Device Discovery to the Model Device approach, you can see multiple advantages to using the Model Device approach:

  • The workflow does not depend on whether ZTP is used or not (or on what ZTP method is used). Different sites can be onboarded by using different methods, but from the FMG perspective, the process remains the same for all of them.
  • Model Devices are local objects inside FMG. They can be safely deleted, if any configuration mistake has been made. Since this configuration is not pushed to any real FGT device until the very last step, there is no need for rollback.
  • For the same reason, working with the Model Device approach is safer. Interim configuration will not cause service disruption, since only the final configuration is pushed to the real FGT device at the very last step.

For the above reasons, we will be focusing on this approach throughout this document.

Tooltip

Some FortiGate model devices include a default policy to allow inside to outside access using a specified interface, for example WAN1.

As SD-WAN members may not use interfaces that are referenced directly in firewall policies, you must remove this reference by deleting the policy before installing the SD-WAN template.

This can be done manually through the CLI or GUI, or by installing a new policy package to the device that does not contain the default policy.
Previous
Next

Model devices

By comparing to the traditional Device Discovery to the Model Device approach, you can see multiple advantages to using the Model Device approach:

  • The workflow does not depend on whether ZTP is used or not (or on what ZTP method is used). Different sites can be onboarded by using different methods, but from the FMG perspective, the process remains the same for all of them.
  • Model Devices are local objects inside FMG. They can be safely deleted, if any configuration mistake has been made. Since this configuration is not pushed to any real FGT device until the very last step, there is no need for rollback.
  • For the same reason, working with the Model Device approach is safer. Interim configuration will not cause service disruption, since only the final configuration is pushed to the real FGT device at the very last step.

For the above reasons, we will be focusing on this approach throughout this document.

Tooltip

Some FortiGate model devices include a default policy to allow inside to outside access using a specified interface, for example WAN1.

As SD-WAN members may not use interfaces that are referenced directly in firewall policies, you must remove this reference by deleting the policy before installing the SD-WAN template.

This can be done manually through the CLI or GUI, or by installing a new policy package to the device that does not contain the default policy.
Previous
Next