Fortinet black logo

SD-WAN Deployment with Fabric Overlay Orchestrator

Home FortiGate / FortiOS 7.2.0 SD-WAN Deployment with Fabric Overlay Orchestrator
7.2.0
7.2.0

Firewall policies

Firewall policies

The Fabric Overlay Orchestrator can create firewall policies to allow all traffic through the SD-WAN overlay, or firewall policies to just allow health check traffic through it instead. When the Fabric Overlay Orchestrator is enabled on the root FortiGate, the following Policy creation options are available:

  • Automatic: automatically create policies for the loopback interface and tunnel overlays.

  • Health check: automatically create a policy for the loopback interface so the SD-WAN health checks are functional.

  • Manual: no policies are automatically created.

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts.

Note

When the Fabric Overlay Orchestrator is configured on a device, changing the policy creation rule will create new policies based on the rule, but it will not delete existing policies. Deleting existing policies must be performed manually.
Previous
Next

Firewall policies

The Fabric Overlay Orchestrator can create firewall policies to allow all traffic through the SD-WAN overlay, or firewall policies to just allow health check traffic through it instead. When the Fabric Overlay Orchestrator is enabled on the root FortiGate, the following Policy creation options are available:

  • Automatic: automatically create policies for the loopback interface and tunnel overlays.

  • Health check: automatically create a policy for the loopback interface so the SD-WAN health checks are functional.

  • Manual: no policies are automatically created.

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts.

Note

When the Fabric Overlay Orchestrator is configured on a device, changing the policy creation rule will create new policies based on the rule, but it will not delete existing policies. Deleting existing policies must be performed manually.
Previous
Next