Fortinet white logo
Fortinet white logo

SD-WAN Deployment for MSSPs

Deploying Edge devices

Deploying Edge devices

Now all the building blocks are ready, and it is time to deploy the Edge. Following is an overview of deploying Edge devices:

  1. Add a Model Device. See Adding model devices.
    1. Ensure there is a thoughtful naming convention.
    2. Add the model device to the Edge device group.
    3. Assign the Edge policy package.
    4. Assign the default provisioning template.
  2. Define the Meta Fields. See Defining Meta Fields.
  3. Generate a certificate using the certificate template. See Generating and assigning certificates.
  4. Assign and install the edge overlay CLI template to the Model Device. See Installing overlay configuration.
  5. Assign the remaining templates to the Model Device. See .
    • CLI Template group
    • SD-WAN template
    • Policy package
  6. Install the templates to the Model Device. See Installing the templates to the model device.
  7. Onboard the real FortiGate. See Onboarding the real device.

Adding model devices

To add model device:
  1. On Device Manager, click Add Device, and select Add Model Device.
  2. Give it a name of the Edge, and select the right parameters (such as device model).

    In our example, we have named Edges site1-1 or site1-2.

  3. Select Add it to the Device Group, and select Edge.
  4. Select Assign the Policy Package, and select Edge.
  5. Select Assign the Provisioning Template, and select default.

  6. Click Next, and complete the wizard.

Defining Meta Fields

To define Meta Fields:
  1. Right-click the Hub Model Device, and select Edit.

  2. Fill in following Meta Fields used in Edge CLI templates.

    The values correspond to our example, for both Edge devices.

    Meta Field

    site1-1

    site1-2

    as

    65001

    65001

    h1-inet-id

    11

    11

    h1-inet-ip

    100.64.1.1

    100.64.1.1

    h1-inet-tunnel-ip

    10.201.1.1

    10.201.1.1

    h1-mpls-id

    12

    12

    h1-mpls-ip

    172.16.1.5

    172.16.1.5

    h1-mpls-tunnel-ip

    10.202.1.1

    10.202.1.1

    inet-intf

    port1

    port1

    lan-net

    10.0.1.0/24

    10.0.2.0/24

    lan-summary

    10.0.0.0/14

    10.0.0.0/14

    mpls-intf

    port4

    port4

    Note

    In the above list, only lan-net Meta Field is unique per Edge device (site). All other values are determined by the region to which a particular site belongs. As a result, they will be identical on all the Edge devices in the same region.

  3. Optionally, set device location and/or other desired parameters.
    Note

    After you complete Meta Fields, it is a good time to add any other required configuration to the Model Device. It can be done either directly in the Device Manager or using Provisioning Templates, additional CLI Templates, or ad-hoc CLI Scripts.

    One typical example is underlay configuration. You may need to configure the missing VLAN interfaces, IP addresses, static routes, dynamic routing on the underlay and so on. This configuration is not specific to SD-WAN, and therefore it is out of scope for this document.

Generating and assigning certificates

To generate and issue certificates:
  1. Navigate to Provisioning Templates > Certificate Templates.
  2. Right-click the Edge template, and select Generate.

  3. Select the Edge Model Device in the subsequent dialog, and click OK to issue a local certificate for the Edge.

Installing overlay configuration

Now it is necessary to install the overlay configuration on the Model Device. Just as for the Hub, we must perform this step separately, before applying the rest of the templates.

  1. For the Edge device, right-click the CLI Template Status cell, and select only the CLI template named 01-Edge-Overlay.
  2. Install the configuration by using the Quick Install (Device DB) method.

Assigning templates to the model device

After successful configuration of the overlays, we are ready to assign the rest of the templates to the Model Device.

To assign templates to the model device:
  1. For the Edge, right-click the CLI Template Status cell, and select the entire CLI Template Group named Edge-Template.
  2. Navigate to SD-WAN tab, and assign the SD-WAN template, for example, Edge-Template.

Installing the templates to the model device

After successful configuration of the overlays, we are ready to install the rest of the configuration.

To install the rest of the configuration:
  1. Install Edge policy on the Edge Model Device, which will also apply all the assigned templates.

Onboarding the real device

After successful installation, the Edge Model Device is ready. Now it is time to onboard the real device. You can use either Zero-Touch Provisioning, or you can manually initiate the registration from FortiGate CLI.

Once the onboarding process is complete, the Edge will become a fully managed and a completely deployed device.

Repeat this procedure for all Edge devices. Note that we reuse the same CLI templates and the same SD-WAN templates, and only the Meta Fields must be filled in for each device.

Deploying Edge devices

Deploying Edge devices

Now all the building blocks are ready, and it is time to deploy the Edge. Following is an overview of deploying Edge devices:

  1. Add a Model Device. See Adding model devices.
    1. Ensure there is a thoughtful naming convention.
    2. Add the model device to the Edge device group.
    3. Assign the Edge policy package.
    4. Assign the default provisioning template.
  2. Define the Meta Fields. See Defining Meta Fields.
  3. Generate a certificate using the certificate template. See Generating and assigning certificates.
  4. Assign and install the edge overlay CLI template to the Model Device. See Installing overlay configuration.
  5. Assign the remaining templates to the Model Device. See .
    • CLI Template group
    • SD-WAN template
    • Policy package
  6. Install the templates to the Model Device. See Installing the templates to the model device.
  7. Onboard the real FortiGate. See Onboarding the real device.

Adding model devices

To add model device:
  1. On Device Manager, click Add Device, and select Add Model Device.
  2. Give it a name of the Edge, and select the right parameters (such as device model).

    In our example, we have named Edges site1-1 or site1-2.

  3. Select Add it to the Device Group, and select Edge.
  4. Select Assign the Policy Package, and select Edge.
  5. Select Assign the Provisioning Template, and select default.

  6. Click Next, and complete the wizard.

Defining Meta Fields

To define Meta Fields:
  1. Right-click the Hub Model Device, and select Edit.

  2. Fill in following Meta Fields used in Edge CLI templates.

    The values correspond to our example, for both Edge devices.

    Meta Field

    site1-1

    site1-2

    as

    65001

    65001

    h1-inet-id

    11

    11

    h1-inet-ip

    100.64.1.1

    100.64.1.1

    h1-inet-tunnel-ip

    10.201.1.1

    10.201.1.1

    h1-mpls-id

    12

    12

    h1-mpls-ip

    172.16.1.5

    172.16.1.5

    h1-mpls-tunnel-ip

    10.202.1.1

    10.202.1.1

    inet-intf

    port1

    port1

    lan-net

    10.0.1.0/24

    10.0.2.0/24

    lan-summary

    10.0.0.0/14

    10.0.0.0/14

    mpls-intf

    port4

    port4

    Note

    In the above list, only lan-net Meta Field is unique per Edge device (site). All other values are determined by the region to which a particular site belongs. As a result, they will be identical on all the Edge devices in the same region.

  3. Optionally, set device location and/or other desired parameters.
    Note

    After you complete Meta Fields, it is a good time to add any other required configuration to the Model Device. It can be done either directly in the Device Manager or using Provisioning Templates, additional CLI Templates, or ad-hoc CLI Scripts.

    One typical example is underlay configuration. You may need to configure the missing VLAN interfaces, IP addresses, static routes, dynamic routing on the underlay and so on. This configuration is not specific to SD-WAN, and therefore it is out of scope for this document.

Generating and assigning certificates

To generate and issue certificates:
  1. Navigate to Provisioning Templates > Certificate Templates.
  2. Right-click the Edge template, and select Generate.

  3. Select the Edge Model Device in the subsequent dialog, and click OK to issue a local certificate for the Edge.

Installing overlay configuration

Now it is necessary to install the overlay configuration on the Model Device. Just as for the Hub, we must perform this step separately, before applying the rest of the templates.

  1. For the Edge device, right-click the CLI Template Status cell, and select only the CLI template named 01-Edge-Overlay.
  2. Install the configuration by using the Quick Install (Device DB) method.

Assigning templates to the model device

After successful configuration of the overlays, we are ready to assign the rest of the templates to the Model Device.

To assign templates to the model device:
  1. For the Edge, right-click the CLI Template Status cell, and select the entire CLI Template Group named Edge-Template.
  2. Navigate to SD-WAN tab, and assign the SD-WAN template, for example, Edge-Template.

Installing the templates to the model device

After successful configuration of the overlays, we are ready to install the rest of the configuration.

To install the rest of the configuration:
  1. Install Edge policy on the Edge Model Device, which will also apply all the assigned templates.

Onboarding the real device

After successful installation, the Edge Model Device is ready. Now it is time to onboard the real device. You can use either Zero-Touch Provisioning, or you can manually initiate the registration from FortiGate CLI.

Once the onboarding process is complete, the Edge will become a fully managed and a completely deployed device.

Repeat this procedure for all Edge devices. Note that we reuse the same CLI templates and the same SD-WAN templates, and only the Meta Fields must be filled in for each device.