Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
    6.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Defining interface members

    Defining interface members

    Defining SD-WAN interfaces allows you to add them to zones, which can then be used in policies. SD-WAN interfaces are also used when creating SD-WAN rules.

    Following is a summary of how to define interface members:

    1. Define SD-WAN interfaces for Edge devices for each of their overlay interfaces. See Defining interfaces for Edge devices.

      Edge devices will have two overlay interfaces: INET and MPLS.

    2. Define an SD-WAN interface for the Hub device for the underlay interface. See Defining interfaces for the Hub device.

      The hub has one underlay interface, which is its internet-facing interface.

    Defining interfaces for Edge devices

    For the overlays, create the following Interface Members, and map them to the respective Dial-Up IPSEC endpoints on the Hub device:

    • EDGE_INET
    • EDGE_MPLS

    The following table summarizes the Interface Members you need to create for Edge devices:

    Link

    Interface Member Name

    Mapping

    Overlay

    		 EDGE_INET Map to the respective Dial-Up IPSEC endpoints on the Hub device.

    Overlay

    		 EDGE_MPLS
    To define interface members:
    1. Go to Device Manager > SD-WAN > Interface Members, and click Create New.

      The SD-WAN tab is used for centralized SD-WAN management.

      The Create New WAN Interface pane is displayed.

    2. In the Name box, type EDGE_INET.
    3. Under Advanced Options, set priority value to 10.

      We give higher priority value (meaning lower priority) to all the overlay interfaces, so that Internet traffic uses underlay interfaces by default. This includes all the locally originated Internet traffic (such as FortiGate communication with FortiGuard services), as well as all the Internet traffic that is not explicitly controlled by SD-WAN rules.

    4. Create a new Normalized Interface named EDGE_INET:
      1. In the Normalized Interface drop-down list, click the + (plus) icon to create a new Normalized Interface.

        The Create New Normalized Interface dialog box is displayed.

      2. In the Name box, type EDGE_INET
      3. Under Per-Platform Mapping, click Create New.
      4. In the Matched Platform list, select all.
      5. In the Mapped Interface Name, type EDGE_INET.

        This setting maps the Normalized Interface to the phase1-interface of the same name. The resulting SD-WAN Interface Member will look as follows:

    5. Repeat the same steps to create an Interface Member named EDGE_MPLS.
    Defining interfaces for the Hub device

    For the underlay, create an Interface Member named UL_INET, and map it to the respective Internet-facing interface on the Hub.

    The following table summarizes the Interface Members you need to create for the Hub device:

    Link

    Interface Member Name

    Mapping

    Underlay

    		 UL_INET Map it to the respective Internet-facing interface on the Hub device.
    To define interfaces for the Hub device:
    1. Go to Device Manager > SD-WAN > Interface Members.
    2. In the tree menu, select Interface Members, and click Create New.

      The Create New WAN Interface pane is displayed.

    3. In the Name box, type UL_INET.
    4. Create a new Normalized Interface named UL_INET:
      1. In the Normalized Interface drop-down list, click the + (plus) icon to create a new Normalized Interface.

        The Create New Normalized Interface dialog box is displayed.

      2. In the Name box, type UL_INET
      3. Under Per-Platform Mapping, click Create New.
      4. In the Matched Platform list, select all.
      5. In the Mapped Interface Name, type UL_INET.

        This setting maps the Normalized Interface to the Internet-facing interface on the Hub device. The resulting SD-WAN Interface Member will look as follows:

    Previous
    Next

    Defining interface members

    Defining interface members

    Defining SD-WAN interfaces allows you to add them to zones, which can then be used in policies. SD-WAN interfaces are also used when creating SD-WAN rules.

    Following is a summary of how to define interface members:

    1. Define SD-WAN interfaces for Edge devices for each of their overlay interfaces. See Defining interfaces for Edge devices.

      Edge devices will have two overlay interfaces: INET and MPLS.

    2. Define an SD-WAN interface for the Hub device for the underlay interface. See Defining interfaces for the Hub device.

      The hub has one underlay interface, which is its internet-facing interface.

    Defining interfaces for Edge devices

    For the overlays, create the following Interface Members, and map them to the respective Dial-Up IPSEC endpoints on the Hub device:

    • EDGE_INET
    • EDGE_MPLS

    The following table summarizes the Interface Members you need to create for Edge devices:

    Link

    Interface Member Name

    Mapping

    Overlay

    		 EDGE_INET Map to the respective Dial-Up IPSEC endpoints on the Hub device.

    Overlay

    		 EDGE_MPLS
    To define interface members:
    1. Go to Device Manager > SD-WAN > Interface Members, and click Create New.

      The SD-WAN tab is used for centralized SD-WAN management.

      The Create New WAN Interface pane is displayed.

    2. In the Name box, type EDGE_INET.
    3. Under Advanced Options, set priority value to 10.

      We give higher priority value (meaning lower priority) to all the overlay interfaces, so that Internet traffic uses underlay interfaces by default. This includes all the locally originated Internet traffic (such as FortiGate communication with FortiGuard services), as well as all the Internet traffic that is not explicitly controlled by SD-WAN rules.

    4. Create a new Normalized Interface named EDGE_INET:
      1. In the Normalized Interface drop-down list, click the + (plus) icon to create a new Normalized Interface.

        The Create New Normalized Interface dialog box is displayed.

      2. In the Name box, type EDGE_INET
      3. Under Per-Platform Mapping, click Create New.
      4. In the Matched Platform list, select all.
      5. In the Mapped Interface Name, type EDGE_INET.

        This setting maps the Normalized Interface to the phase1-interface of the same name. The resulting SD-WAN Interface Member will look as follows:

    5. Repeat the same steps to create an Interface Member named EDGE_MPLS.
    Defining interfaces for the Hub device

    For the underlay, create an Interface Member named UL_INET, and map it to the respective Internet-facing interface on the Hub.

    The following table summarizes the Interface Members you need to create for the Hub device:

    Link

    Interface Member Name

    Mapping

    Underlay

    		 UL_INET Map it to the respective Internet-facing interface on the Hub device.
    To define interfaces for the Hub device:
    1. Go to Device Manager > SD-WAN > Interface Members.
    2. In the tree menu, select Interface Members, and click Create New.

      The Create New WAN Interface pane is displayed.

    3. In the Name box, type UL_INET.
    4. Create a new Normalized Interface named UL_INET:
      1. In the Normalized Interface drop-down list, click the + (plus) icon to create a new Normalized Interface.

        The Create New Normalized Interface dialog box is displayed.

      2. In the Name box, type UL_INET
      3. Under Per-Platform Mapping, click Create New.
      4. In the Matched Platform list, select all.
      5. In the Mapped Interface Name, type UL_INET.

        This setting maps the Normalized Interface to the Internet-facing interface on the Hub device. The resulting SD-WAN Interface Member will look as follows:

    Previous
    Next