Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.10 Administration Guide
    7.0.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring the SD-WAN to steer traffic between the overlays

    Configuring the SD-WAN to steer traffic between the overlays

    Configure the HQ FortiGate to use two overlay tunnels for SD-WAN, steering HTTPS and HTTP traffic through the FGT_AWS_Tun tunnel, and SSH and FTP throguh the AWS_VPG tunnel.

    1. Add SD-WAN member interfaces
    2. Configure a route to the remote network
    3. Configure firewall policies
    4. Configure a health check
    5. Configure SD-WAN rules
    To add SD-WAN member interfaces:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set Interface to AWS_VPG then click OK.

    3. Click Create New > SD-WAN Member again.

    4. Set Interface to FGT_AWS_Tun.

    5. Set Gateway to 172.16.200.1.

    6. Click OK.

    To configure a route to the remote network 10.0.2.0/24:

    1. Go to Network > Static Routes and click Create New.

    2. Set Destination to Subnet and enter the IP address and netmask: 10.0.2.0/255.255.255.0.

    3. Set Interface to virtual-wan-link.

    4. Click OK.

      Individual routes to each tunnel are automatically added to the routing table with the same distance:

    To configure firewall policies to allow traffic from the internal subnet to SD-WAN:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following:

      Name

      ISFW-to-IaaS

      Incoming Interface

      port3

      Outgoing Interface

      virtual-wan-link

      Source

      all

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enabled

    3. Configure the remaining settings as required.

    4. Click OK.

      Once the firewall policies are configured, the VPN tunnels should come up when there is traffic.

    To configure a health check to monitor the status of the tunnels:

    As you are accessing the servers on the 10.0.2.0/24 subnet, it is preferable to use the FortiGate port2 interface as the ping server for detection. This ensures that, if the gateway is not reachable in either tunnel, its routes are brought down and traffic continues on the other tunnel.

    1. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.

    2. Configure the following:

      Name

      ping_AWS_Gateway

      Protocol

      Ping

      Server

      10.0.2.10

      Participants

      Specify

      Add AWS_VPG and FGT_AWS_Tun as participants.

    3. Click OK.

      Health check probes originate from the VPN interface's IP address. This is why the phase2 selectors are configured with Local Address set to all.

    To configure SD-WAN rules to steer traffic:

    HTTPS and HTTP traffic is steered to the FGT_AWS_Tun tunnel, and SSH and FTP traffic is steered to the AWS_VPG tunnel. The Manual algorithm is used in this example.

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. Configure the following:

      Name

      http-to-FGT_AWS_Tun

      Source Address

      all

      Address

      remote_subnet_10_0_2_0

      Protocol

      TCP

      Port range

      80 - 80

      Outgoing Interfaces

      Manual

      Interface preference

      FGT_AWS_Tun

    3. Click OK.

    4. Create other SD-WAN rules as required:

    Previous
    Next

    Configuring the SD-WAN to steer traffic between the overlays

    Configuring the SD-WAN to steer traffic between the overlays

    Configure the HQ FortiGate to use two overlay tunnels for SD-WAN, steering HTTPS and HTTP traffic through the FGT_AWS_Tun tunnel, and SSH and FTP throguh the AWS_VPG tunnel.

    1. Add SD-WAN member interfaces
    2. Configure a route to the remote network
    3. Configure firewall policies
    4. Configure a health check
    5. Configure SD-WAN rules
    To add SD-WAN member interfaces:

    1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

    2. Set Interface to AWS_VPG then click OK.

    3. Click Create New > SD-WAN Member again.

    4. Set Interface to FGT_AWS_Tun.

    5. Set Gateway to 172.16.200.1.

    6. Click OK.

    To configure a route to the remote network 10.0.2.0/24:

    1. Go to Network > Static Routes and click Create New.

    2. Set Destination to Subnet and enter the IP address and netmask: 10.0.2.0/255.255.255.0.

    3. Set Interface to virtual-wan-link.

    4. Click OK.

      Individual routes to each tunnel are automatically added to the routing table with the same distance:

    To configure firewall policies to allow traffic from the internal subnet to SD-WAN:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following:

      Name

      ISFW-to-IaaS

      Incoming Interface

      port3

      Outgoing Interface

      virtual-wan-link

      Source

      all

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enabled

    3. Configure the remaining settings as required.

    4. Click OK.

      Once the firewall policies are configured, the VPN tunnels should come up when there is traffic.

    To configure a health check to monitor the status of the tunnels:

    As you are accessing the servers on the 10.0.2.0/24 subnet, it is preferable to use the FortiGate port2 interface as the ping server for detection. This ensures that, if the gateway is not reachable in either tunnel, its routes are brought down and traffic continues on the other tunnel.

    1. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.

    2. Configure the following:

      Name

      ping_AWS_Gateway

      Protocol

      Ping

      Server

      10.0.2.10

      Participants

      Specify

      Add AWS_VPG and FGT_AWS_Tun as participants.

    3. Click OK.

      Health check probes originate from the VPN interface's IP address. This is why the phase2 selectors are configured with Local Address set to all.

    To configure SD-WAN rules to steer traffic:

    HTTPS and HTTP traffic is steered to the FGT_AWS_Tun tunnel, and SSH and FTP traffic is steered to the AWS_VPG tunnel. The Manual algorithm is used in this example.

    1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.

    2. Configure the following:

      Name

      http-to-FGT_AWS_Tun

      Source Address

      all

      Address

      remote_subnet_10_0_2_0

      Protocol

      TCP

      Port range

      80 - 80

      Outgoing Interfaces

      Manual

      Interface preference

      FGT_AWS_Tun

    3. Click OK.

    4. Create other SD-WAN rules as required:

    Previous
    Next