Fortinet black logo

SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN Deployment for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Hub Policy Package

Hub Policy Package

To create the Hub Policy Package interactively:

  1. In Policy & Objects, navigate to Policy Packages. Click Policy Package > New and create a package named Hub.

  2. Under Installation Targets of the newly created Hub package, click Edit and assign the package to the Hubs device group.

  3. Under Firewall Policy, click Create New to create the following firewall rules. For all rules, set Action to Accept:

    Name

    From

    To

    Src

    Dst

    Service

    NAT

    Edge-Edge

    overlay

    hub2hub_overlay

    overlay

    hub2hub_overlay

    CORP_LAN

    CORP_LAN

    ALL

    No

    Edge-Hub

    lan_zone overlay

    hub2hub_overlay

    lan_zone overlay

    hub2hub_overlay

    CORP_LAN

    CORP_LAN

    ALL

    		 No

    Internet (DIA)

    lan_zone

    underlay

    all

    all

    ALL

    Yes

    Internet (RIA)

    overlay

    underlay

    all

    all

    ALL

    		 Yes

    Health-Check

    overlay

    Lo-HC

    all

    all

    PING

    No

    Peering

    overlay

    hub2hub_overlay

    Lo

    all

    all

    PING

    BGP

    No

  4. In the Edge-Edge rule, configure the following Advanced Options:

    Parameter

    Value

    anti-replay

    off

    tcp-session-without-syn

    all

    Note

    Keep in mind that Edge-to-Edge traffic will be already secured by the Spokes. Hence, there is no need to repeat the same inspection on the Hub, especially considering that most of the Edge-to-Edge traffic will not even transit the Hub. It will use direct ADVPN shortcuts instead.

    Furthermore, if network conditions change, the traffic could switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. Note that they do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Spokes, both when the traffic flows through the Hub and when it doesn't.

Notes:

  • Just like the Spokes, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here (hub2hub_overlay) for the Hub-to-Hub overlays that interconnect different regions. Our Jinja Templates will configure it on the Hub devices.

  • This Policy Package is ready to support Remote Internet Access where traffic arriving from the Edge devices through the overlays is directed to the Internet (underlay).

  • This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.

  • We must explicitly allow health-check probes that the Spokes will send to the Hubs, as it is done in the Health-Check rule.

  • We must also explicitly allow incoming BGP sessions from the Spokes and from the Hubs serving remote regions. (In the "BGP on Loopback" design, all these BGP sessions will be terminated on the main loopback interface "Lo".) This is done in the Peering rule.

    Note

    In the "BGP per Overlay" design, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule.
Previous
Next

Hub Policy Package

To create the Hub Policy Package interactively:

  1. In Policy & Objects, navigate to Policy Packages. Click Policy Package > New and create a package named Hub.

  2. Under Installation Targets of the newly created Hub package, click Edit and assign the package to the Hubs device group.

  3. Under Firewall Policy, click Create New to create the following firewall rules. For all rules, set Action to Accept:

    Name

    From

    To

    Src

    Dst

    Service

    NAT

    Edge-Edge

    overlay

    hub2hub_overlay

    overlay

    hub2hub_overlay

    CORP_LAN

    CORP_LAN

    ALL

    No

    Edge-Hub

    lan_zone overlay

    hub2hub_overlay

    lan_zone overlay

    hub2hub_overlay

    CORP_LAN

    CORP_LAN

    ALL

    		 No

    Internet (DIA)

    lan_zone

    underlay

    all

    all

    ALL

    Yes

    Internet (RIA)

    overlay

    underlay

    all

    all

    ALL

    		 Yes

    Health-Check

    overlay

    Lo-HC

    all

    all

    PING

    No

    Peering

    overlay

    hub2hub_overlay

    Lo

    all

    all

    PING

    BGP

    No

  4. In the Edge-Edge rule, configure the following Advanced Options:

    Parameter

    Value

    anti-replay

    off

    tcp-session-without-syn

    all

    Note

    Keep in mind that Edge-to-Edge traffic will be already secured by the Spokes. Hence, there is no need to repeat the same inspection on the Hub, especially considering that most of the Edge-to-Edge traffic will not even transit the Hub. It will use direct ADVPN shortcuts instead.

    Furthermore, if network conditions change, the traffic could switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. Note that they do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Spokes, both when the traffic flows through the Hub and when it doesn't.

Notes:

  • Just like the Spokes, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here (hub2hub_overlay) for the Hub-to-Hub overlays that interconnect different regions. Our Jinja Templates will configure it on the Hub devices.

  • This Policy Package is ready to support Remote Internet Access where traffic arriving from the Edge devices through the overlays is directed to the Internet (underlay).

  • This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.

  • We must explicitly allow health-check probes that the Spokes will send to the Hubs, as it is done in the Health-Check rule.

  • We must also explicitly allow incoming BGP sessions from the Spokes and from the Hubs serving remote regions. (In the "BGP on Loopback" design, all these BGP sessions will be terminated on the main loopback interface "Lo".) This is done in the Peering rule.

    Note

    In the "BGP per Overlay" design, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule.
Previous
Next