Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 7.0.0 SD-WAN Deployment for MSSPs
    7.0.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Creating Edge SD-WAN templates

    Creating Edge SD-WAN templates

    This section outlines the general configuration steps recommended for every Edge SD-WAN template. All the screenshots in this section demonstrate a template named Edge-2H-Silver from our example project, and the template is prepared for the sites from the West Region that have a Silver profile (such as site1-1). See Example project.

    Note

    Detailed description of the available SD-WAN functionality is outside the scope of this document. Please refer to the public documentation or contact your Fortinet representatives for more details.

    Creating SD-WAN templates

    The section provides the general steps for creating the following components of SD-WAN templates:

    • SD-WAN zones
    • SD-WAN zone members
    • Performance SLAs
    • SD-WAN rules for steering traffic
    To create SD-WAN templates:
    1. In Device Manager, go to Provisioning Templates > SD-WAN Templates, and click Create New to create a new template:

    2. In the Interface Members section, click Create New > SD-WAN Zone, and create two SD-WAN zones named underlay and overlay:

    3. In the Interface Members section, click Create New > SD-WAN Member to create SD-WAN Members, and add them to the zones:

      • Add all the underlay interfaces to the underlay zone.
      • Add all the overlay interfaces (tunnels) to the overlay zone.
      • Make sure that the Priority value for the overlay members is worse (higher) than the value for the underlay members. For example, set the overlay Priority to 10 and leave the underlay Priority unchanged (0).

        Note

        We are going to use SD-WAN as a default route, and this priority will be set for each individual members. As a result, underlay members will be automatically preferred for Internet traffic that does not have any explicit SD-WAN rule. This also includes the traffic originated by the FortiGate device itself, such as FortiGuard connectivity, for example.

      • Make sure that the Source value for the overlay members is set to $(loopback). This refers to the per-device meta field that will contain the per-device loopback address, and in our routing design flavor we will use it as a source IP for the health probes.

    4. In the Performance SLA section, click Create New to create the necessary Performance SLAs:
      • For the corporate (internal) traffic, create Performance SLA pinging the Hub loopback. This loopback is created by the Jinja CLI Templates, and its IP address, by default, is set to 10.200.99.1. Specify to run the probes only on the overlay members.

      • For the Internet traffic, create Performance SLAs using any desired probe destination. A typical choice to probe generic Internet connectivity would be a DNS probe towards 8.8.8.8. Additionally, application-specific Performance SLAs can be created, depending on the desired steering strategy

        Specify to run the probes through all the members that should be used for Internet access. The choice depends on whether it is required to provide Direct Internet Access (DIA), Remote Internet Access (RIA), or a hybrid of the two.

        For example, in the following image we are planning to use a hybrid Internet access model. However, we do not define any traffic steering rules yet. We are merely defining on which SD-WAN Members to run the respective health probes. The traffic steering will be determined by the SD-WAN Rules.

        Note

        If you want to see SLA graphs on the FortiAnalyzer widgets and reports, remember to set the values of sla-fail-log-period and sla-pass-log-period under Advanced Options of the respective Performance SLAs! For example, use the values of 10 seconds as displayed in the following image:

    5. In the SD-WAN Rules section, click Create New to create the SD-WAN rules that will steer traffic:
      • For the corporate (internal) traffic, use the following guidelines for optimal ADVPN operation:
        • Enable an Advanced Option tie-break fib-best-match. This per-rule option instructs SD-WAN to rely on the best route to the destination (rather than on any valid route, as it is done by default). In conjunction with ADVPN, this setting provides an optimal behavior in certain failure scenarios.
        • When Lowest Cost (SLA) strategy is used, set an Advanced Option hold-down-timer to 20 seconds. In conjunction with ADVPN, this setting prevents unnecessary traffic flapping in certain failure or recovery scenarios.

      • In Dual-Hub regions, we recommend using an "Active/Backup Hub" model. This means creating two separate SD-WAN Rules, such as Corporate-H1 and Corporate-H2, with the former listing only the overlays of the Primary Hub and the latter listing only the overlays of the Secondary Hub.

        As long as the Primary Hub is operational, it will be used for ADVPN shortcut exchange. Once it becomes out of service, the Secondary Hub will be used.

      • For the Internet traffic, a wide variety of options exists, depending on the desired steering strategy. For example, the following screenshot demonstrates an SD-WAN Rule for the business-critical SaaS applications ("Salesforce" and "GoToMeeting" in our example), implementing a hybrid Internet access model combined with an Application-based traffic steering:

        • The applications in question will be identified by their Layer7 payloads, using our extensive Application database
        • The applications will prefer Direct Internet Access (using "port1"), as long as it meets the configured SLA target (the latency of up to 250 ms).
        • If the SLA target is not met, the traffic will switchover to the Remote Internet Access via one of the Hubs (using one of the MPLS overlays - H1_MPLS or H2_MPLS).
      • Different SD-WAN Rules can be created for different types of traffic, selecting the optimal traffic steering strategy and SLA targets for different applications.

    Assigning SD-WAN templates

    Once the SD-WAN templates are ready, assign them to the correct device groups. The outcome will vary depending on how you defined the device groups for your project.

    To assign SD-WAN templates:
    1. On the Provisioning Templates > SD-WAN Templates pane, select the template, and click Assign to Device/Group to assign the templates to the correct device groups. You can assign the same SD-WAN template to one or more device groups.

      The following image demonstrates the assignment in our example project:

    Previous
    Next

    Creating Edge SD-WAN templates

    Creating Edge SD-WAN templates

    This section outlines the general configuration steps recommended for every Edge SD-WAN template. All the screenshots in this section demonstrate a template named Edge-2H-Silver from our example project, and the template is prepared for the sites from the West Region that have a Silver profile (such as site1-1). See Example project.

    Note

    Detailed description of the available SD-WAN functionality is outside the scope of this document. Please refer to the public documentation or contact your Fortinet representatives for more details.

    Creating SD-WAN templates

    The section provides the general steps for creating the following components of SD-WAN templates:

    • SD-WAN zones
    • SD-WAN zone members
    • Performance SLAs
    • SD-WAN rules for steering traffic
    To create SD-WAN templates:
    1. In Device Manager, go to Provisioning Templates > SD-WAN Templates, and click Create New to create a new template:

    2. In the Interface Members section, click Create New > SD-WAN Zone, and create two SD-WAN zones named underlay and overlay:

    3. In the Interface Members section, click Create New > SD-WAN Member to create SD-WAN Members, and add them to the zones:

      • Add all the underlay interfaces to the underlay zone.
      • Add all the overlay interfaces (tunnels) to the overlay zone.
      • Make sure that the Priority value for the overlay members is worse (higher) than the value for the underlay members. For example, set the overlay Priority to 10 and leave the underlay Priority unchanged (0).

        Note

        We are going to use SD-WAN as a default route, and this priority will be set for each individual members. As a result, underlay members will be automatically preferred for Internet traffic that does not have any explicit SD-WAN rule. This also includes the traffic originated by the FortiGate device itself, such as FortiGuard connectivity, for example.

      • Make sure that the Source value for the overlay members is set to $(loopback). This refers to the per-device meta field that will contain the per-device loopback address, and in our routing design flavor we will use it as a source IP for the health probes.

    4. In the Performance SLA section, click Create New to create the necessary Performance SLAs:
      • For the corporate (internal) traffic, create Performance SLA pinging the Hub loopback. This loopback is created by the Jinja CLI Templates, and its IP address, by default, is set to 10.200.99.1. Specify to run the probes only on the overlay members.

      • For the Internet traffic, create Performance SLAs using any desired probe destination. A typical choice to probe generic Internet connectivity would be a DNS probe towards 8.8.8.8. Additionally, application-specific Performance SLAs can be created, depending on the desired steering strategy

        Specify to run the probes through all the members that should be used for Internet access. The choice depends on whether it is required to provide Direct Internet Access (DIA), Remote Internet Access (RIA), or a hybrid of the two.

        For example, in the following image we are planning to use a hybrid Internet access model. However, we do not define any traffic steering rules yet. We are merely defining on which SD-WAN Members to run the respective health probes. The traffic steering will be determined by the SD-WAN Rules.

        Note

        If you want to see SLA graphs on the FortiAnalyzer widgets and reports, remember to set the values of sla-fail-log-period and sla-pass-log-period under Advanced Options of the respective Performance SLAs! For example, use the values of 10 seconds as displayed in the following image:

    5. In the SD-WAN Rules section, click Create New to create the SD-WAN rules that will steer traffic:
      • For the corporate (internal) traffic, use the following guidelines for optimal ADVPN operation:
        • Enable an Advanced Option tie-break fib-best-match. This per-rule option instructs SD-WAN to rely on the best route to the destination (rather than on any valid route, as it is done by default). In conjunction with ADVPN, this setting provides an optimal behavior in certain failure scenarios.
        • When Lowest Cost (SLA) strategy is used, set an Advanced Option hold-down-timer to 20 seconds. In conjunction with ADVPN, this setting prevents unnecessary traffic flapping in certain failure or recovery scenarios.

      • In Dual-Hub regions, we recommend using an "Active/Backup Hub" model. This means creating two separate SD-WAN Rules, such as Corporate-H1 and Corporate-H2, with the former listing only the overlays of the Primary Hub and the latter listing only the overlays of the Secondary Hub.

        As long as the Primary Hub is operational, it will be used for ADVPN shortcut exchange. Once it becomes out of service, the Secondary Hub will be used.

      • For the Internet traffic, a wide variety of options exists, depending on the desired steering strategy. For example, the following screenshot demonstrates an SD-WAN Rule for the business-critical SaaS applications ("Salesforce" and "GoToMeeting" in our example), implementing a hybrid Internet access model combined with an Application-based traffic steering:

        • The applications in question will be identified by their Layer7 payloads, using our extensive Application database
        • The applications will prefer Direct Internet Access (using "port1"), as long as it meets the configured SLA target (the latency of up to 250 ms).
        • If the SLA target is not met, the traffic will switchover to the Remote Internet Access via one of the Hubs (using one of the MPLS overlays - H1_MPLS or H2_MPLS).
      • Different SD-WAN Rules can be created for different types of traffic, selecting the optimal traffic steering strategy and SLA targets for different applications.

    Assigning SD-WAN templates

    Once the SD-WAN templates are ready, assign them to the correct device groups. The outcome will vary depending on how you defined the device groups for your project.

    To assign SD-WAN templates:
    1. On the Provisioning Templates > SD-WAN Templates pane, select the template, and click Assign to Device/Group to assign the templates to the correct device groups. You can assign the same SD-WAN template to one or more device groups.

      The following image demonstrates the assignment in our example project:

    Previous
    Next