Fortinet black logo

Cookbook

Configuring the SD-WAN to steer traffic between the overlays

Copy Link
Copy Doc ID 30be976a-bbb3-11ee-8673-fa163e15d75b:158602
Download PDF

Configuring the SD-WAN to steer traffic between the overlays

Configure the HQ FortiGate to use two overlay tunnels for SD-WAN, steering HTTPS and HTTP traffic through the FGT_AWS_Tun tunnel, and SSH and FTP throguh the AWS_VPG tunnel.

  1. Add SD-WAN member interfaces
  2. Configure a route to the remote network
  3. Configure firewall policies
  4. Configure a health check
  5. Configure SD-WAN rules
To add SD-WAN member interfaces:
  1. Go to Network > SD-WAN
  2. Set Status to Enable.
  3. In the SD-WAN Interface Members table, click Create New.
  4. Set Interface to AWS_VPG then click OK.

  5. Click Create New again.
  6. Set Interface to FGT_AWS_Tun.
  7. Set Gateway to 172.16.200.1.
  8. Click OK.

To configure a route to the remote network 10.0.2.0/24:
  1. Go to Network > Static Routes and click Create New.
  2. Set Destination to Subnet and enter the IP address and netmask: 10.0.2.0/255.255.255.0.
  3. Set Interface to SD-WAN.

  4. Click OK.
To configure firewall policies to allow traffic from the internal subnet to SD-WAN:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Configure the following:

    Name

    ISFW-to-IaaS

    Incoming Interface

    port3

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enabled

  3. Configure the remaining settings as required.
  4. Click OK.

    Once the firewall policies are configured, the VPN tunnels should come up when there is traffic.

To configure a health check to monitor the status of the tunnels:

As you are accessing the servers on the 10.0.2.0/24 subnet, it is preferable to use the FortiGate port2 interface as the ping server for detection. This ensures that, if the gateway is not reachable in either tunnel, its routes are brought down and traffic continues on the other tunnel.

  1. Go to Network > Performance SLA and click Create New.
  2. Configure the following:

    Name

    ping_AWS_Gateway

    Protocol

    Ping

    Server

    10.0.2.10

    Participants

    Add AWS_VPG and FGT_AWS_Tun as participants.

  3. Click OK.

    Health check probes originate from the VPN interface's IP address. This is why the phase2 selectors are configured with Local Address set to all.

To configure SD-WAN rules to steer traffic:

HTTPS and HTTP traffic is steered to the FGT_AWS_Tun tunnel, and SSH and FTP traffic is steered to the AWS_VPG tunnel. The Manual algorithm is used in this example.

  1. Go to Network > SD-WAN Rules and click Create New.
  2. Configure the following:

    Name

    http-to-FGT_AWS_Tun

    Source Address

    all

    Address

    remote_subnet_10_0_2_0

    Protocol

    TCP

    Port range

    80 - 80

    Outgoing Interfaces

    Manual

    Interface preference

    FGT_AWS_Tun

  3. Click OK.
  4. Create other SD-WAN rules as required:

Configuring the SD-WAN to steer traffic between the overlays

Configure the HQ FortiGate to use two overlay tunnels for SD-WAN, steering HTTPS and HTTP traffic through the FGT_AWS_Tun tunnel, and SSH and FTP throguh the AWS_VPG tunnel.

  1. Add SD-WAN member interfaces
  2. Configure a route to the remote network
  3. Configure firewall policies
  4. Configure a health check
  5. Configure SD-WAN rules
To add SD-WAN member interfaces:
  1. Go to Network > SD-WAN
  2. Set Status to Enable.
  3. In the SD-WAN Interface Members table, click Create New.
  4. Set Interface to AWS_VPG then click OK.

  5. Click Create New again.
  6. Set Interface to FGT_AWS_Tun.
  7. Set Gateway to 172.16.200.1.
  8. Click OK.

To configure a route to the remote network 10.0.2.0/24:
  1. Go to Network > Static Routes and click Create New.
  2. Set Destination to Subnet and enter the IP address and netmask: 10.0.2.0/255.255.255.0.
  3. Set Interface to SD-WAN.

  4. Click OK.
To configure firewall policies to allow traffic from the internal subnet to SD-WAN:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Configure the following:

    Name

    ISFW-to-IaaS

    Incoming Interface

    port3

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enabled

  3. Configure the remaining settings as required.
  4. Click OK.

    Once the firewall policies are configured, the VPN tunnels should come up when there is traffic.

To configure a health check to monitor the status of the tunnels:

As you are accessing the servers on the 10.0.2.0/24 subnet, it is preferable to use the FortiGate port2 interface as the ping server for detection. This ensures that, if the gateway is not reachable in either tunnel, its routes are brought down and traffic continues on the other tunnel.

  1. Go to Network > Performance SLA and click Create New.
  2. Configure the following:

    Name

    ping_AWS_Gateway

    Protocol

    Ping

    Server

    10.0.2.10

    Participants

    Add AWS_VPG and FGT_AWS_Tun as participants.

  3. Click OK.

    Health check probes originate from the VPN interface's IP address. This is why the phase2 selectors are configured with Local Address set to all.

To configure SD-WAN rules to steer traffic:

HTTPS and HTTP traffic is steered to the FGT_AWS_Tun tunnel, and SSH and FTP traffic is steered to the AWS_VPG tunnel. The Manual algorithm is used in this example.

  1. Go to Network > SD-WAN Rules and click Create New.
  2. Configure the following:

    Name

    http-to-FGT_AWS_Tun

    Source Address

    all

    Address

    remote_subnet_10_0_2_0

    Protocol

    TCP

    Port range

    80 - 80

    Outgoing Interfaces

    Manual

    Interface preference

    FGT_AWS_Tun

  3. Click OK.
  4. Create other SD-WAN rules as required: