Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    IPsec overlay

    IPsec overlay

    Within each region, a standard ADVPN configuration is used to build a Hub-and-Spoke topology over each available underlay transport:

    • The Hubs act as Dial-Up IPsec endpoints for the Spokes in the region they serve. A separate Dial-Up IPsec endpoint is configured on each available underlay transport. Every such endpoint defines a point-to-multipoint overlay.

    • Every Spoke builds a separate static IPsec tunnel over each available underlay transport towards each of the Hubs. For example, in a Dual-Hub region with two underlay transports (for example, Internet and MPLS), every Spoke will build four static IPsec tunnels.

    • ADVPN is enabled on all Hubs and Spokes.

    In order to interconnect multiple regions, the Hubs build IPsec tunnels between them:

    • Usually those are static IPsec tunnels, forming a Full Mesh, although alternative topologies can be considered when the number of regions becomes too large.

    • Optionally, ADVPN can be enabled (in forwarder mode) on all the Hub-to-Hub tunnels to allow inter-regional shortcuts.

    • The Hub-to-Hub tunnels can be built either over all available underlay transports or only over some of them. There is no strict relation between the transports used within each region and those used for the Hub-to-Hub connectivity.

      Note

      This flexibility is made possible by the ADVPN 2.0 framework. We discuss it in more detail in a dedicated section.
    Previous
    Next

    IPsec overlay

    IPsec overlay

    Within each region, a standard ADVPN configuration is used to build a Hub-and-Spoke topology over each available underlay transport:

    • The Hubs act as Dial-Up IPsec endpoints for the Spokes in the region they serve. A separate Dial-Up IPsec endpoint is configured on each available underlay transport. Every such endpoint defines a point-to-multipoint overlay.

    • Every Spoke builds a separate static IPsec tunnel over each available underlay transport towards each of the Hubs. For example, in a Dual-Hub region with two underlay transports (for example, Internet and MPLS), every Spoke will build four static IPsec tunnels.

    • ADVPN is enabled on all Hubs and Spokes.

    In order to interconnect multiple regions, the Hubs build IPsec tunnels between them:

    • Usually those are static IPsec tunnels, forming a Full Mesh, although alternative topologies can be considered when the number of regions becomes too large.

    • Optionally, ADVPN can be enabled (in forwarder mode) on all the Hub-to-Hub tunnels to allow inter-regional shortcuts.

    • The Hub-to-Hub tunnels can be built either over all available underlay transports or only over some of them. There is no strict relation between the transports used within each region and those used for the Hub-to-Hub connectivity.

      Note

      This flexibility is made possible by the ADVPN 2.0 framework. We discuss it in more detail in a dedicated section.
    Previous
    Next