Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN Deployment for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Hub Policy Package

    Hub Policy Package

    To create the Hub Policy Package interactively:

    1. Go to Policy & Objects > Policy Packages, and click Policy Package > New to create a package named Hub.

    2. Under Installation Targets of the newly created Hub package, click Edit and assign the package to the Hubs device group.

    3. Under Firewall Policy, click Create New to create the following firewall rules. For all rules, set Action to Accept:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Edge-Edge

      overlay

      hub2hub_overlay

      overlay

      hub2hub_overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      Edge-Hub

      lan_zone overlay

      hub2hub_overlay

      lan_zone overlay

      hub2hub_overlay

      CORP_LAN

      CORP_LAN

      ALL

      		 No

      Internet (DIA)

      lan_zone

      underlay

      all

      all

      ALL

      Yes

      Internet (RIA)

      overlay

      underlay

      all

      all

      ALL

      		 Yes

      Health-Check

      overlay

      Lo-HC

      all

      all

      PING

      No

      Peering

      overlay

      hub2hub_overlay

      Lo

      all

      all

      PING

      BGP

      No

    4. In the Edge-Edge rule, configure the following Advanced Options:

      Parameter

      Value

      anti-replay

      off

      tcp-session-without-syn

      all

      Note

      Keep in mind that Edge-to-Edge traffic will be already secured by the Spokes. Hence, there is no need to repeat the same inspection on the Hub, especially considering that most of the Edge-to-Edge traffic will not even transit the Hub. It will use direct ADVPN shortcuts instead.

      Furthermore, if network conditions change, the traffic could switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. Note that they do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Spokes, both when the traffic flows through the Hub and when it doesn't.

    Notes:

    • Just like the Spokes, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here (hub2hub_overlay) for the Hub-to-Hub overlays that interconnect different regions. Our Jinja Orchestrator will configure it on the Hub devices.

    • This Policy Package is ready to support Remote Internet Access where traffic arriving from the Edge devices through the overlays is directed to the Internet (underlay).

    • This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.

    • We must explicitly allow health-check probes that the Spokes will send to the Hubs, as it is done in the Health-Check rule.

    • We must also explicitly allow incoming BGP sessions from the Spokes and from the Hubs serving remote regions. (In the "BGP on Loopback" design, all these BGP sessions will be terminated on the main loopback interface "Lo".) This is done in the Peering rule.

      Note

      In the "BGP per Overlay" design, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule.
    Previous
    Next

    Hub Policy Package

    Hub Policy Package

    To create the Hub Policy Package interactively:

    1. Go to Policy & Objects > Policy Packages, and click Policy Package > New to create a package named Hub.

    2. Under Installation Targets of the newly created Hub package, click Edit and assign the package to the Hubs device group.

    3. Under Firewall Policy, click Create New to create the following firewall rules. For all rules, set Action to Accept:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Edge-Edge

      overlay

      hub2hub_overlay

      overlay

      hub2hub_overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      Edge-Hub

      lan_zone overlay

      hub2hub_overlay

      lan_zone overlay

      hub2hub_overlay

      CORP_LAN

      CORP_LAN

      ALL

      		 No

      Internet (DIA)

      lan_zone

      underlay

      all

      all

      ALL

      Yes

      Internet (RIA)

      overlay

      underlay

      all

      all

      ALL

      		 Yes

      Health-Check

      overlay

      Lo-HC

      all

      all

      PING

      No

      Peering

      overlay

      hub2hub_overlay

      Lo

      all

      all

      PING

      BGP

      No

    4. In the Edge-Edge rule, configure the following Advanced Options:

      Parameter

      Value

      anti-replay

      off

      tcp-session-without-syn

      all

      Note

      Keep in mind that Edge-to-Edge traffic will be already secured by the Spokes. Hence, there is no need to repeat the same inspection on the Hub, especially considering that most of the Edge-to-Edge traffic will not even transit the Hub. It will use direct ADVPN shortcuts instead.

      Furthermore, if network conditions change, the traffic could switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. Note that they do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Spokes, both when the traffic flows through the Hub and when it doesn't.

    Notes:

    • Just like the Spokes, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here (hub2hub_overlay) for the Hub-to-Hub overlays that interconnect different regions. Our Jinja Orchestrator will configure it on the Hub devices.

    • This Policy Package is ready to support Remote Internet Access where traffic arriving from the Edge devices through the overlays is directed to the Internet (underlay).

    • This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.

    • We must explicitly allow health-check probes that the Spokes will send to the Hubs, as it is done in the Health-Check rule.

    • We must also explicitly allow incoming BGP sessions from the Spokes and from the Hubs serving remote regions. (In the "BGP on Loopback" design, all these BGP sessions will be terminated on the main loopback interface "Lo".) This is done in the Peering rule.

      Note

      In the "BGP per Overlay" design, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule.
    Previous
    Next