Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN Deployment for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Recommended for ADVPN

    Recommended for ADVPN

    This advanced option is often desirable for the SD-WAN rules controlling the internal (corporate) traffic, because multiple, partially overlapping summary routes are often advertised from different locations.

    But above all, it is recommended for the rules controlling the Spoke-to-Spoke ADVPN traffic. Let's see why.

    Consider a simple SD-WAN rule selecting between the two overlays (in the order of preference): H1_ISP1, H1_MPLS:

    • A new session arrives, destined to 10.0.2.101, which belongs to the LAN prefix 10.0.2.0/24 behind a remote Spoke device, which is advertised using BGP and thus reachable through both of the above overlays.

    • When the H1_ISP1 overlay is selected, and a new ADVPN shortcut H1_ISP1_0 is built over it, this new shortcut is automatically inserted at the head of the preference list:
      [ H1_ISP1_0, H1_ISP1, H1_MPLS ]

    • If, however, the health of the ISP1 link on the remote Spoke is degraded, this will result in this shortcut becoming out of SLA (detected by the ADVPN Shortcut Monitoring feature), and it will move to the end of the list:
      [ H1_ISP1, H1_MPLS, H1_ISP1_0 ]

    • If ADVPN 2.0 is in use, then shortly after this an alternative shortcut should be triggered (for example, an MPLS shortcut).

    • However, while the new shortcut is not available yet, we would like to avoid unnecessary steering towards the Hub tunnels H1_ISP1 and H1_MPLS, which now happen to be at the head of the list.

    • The ADVPN integration with BGP ensures that the best route towards 10.0.2.0/24 is now resolved only via the shortcut H1_ISP1_0. However, similar to the the previous example, there may still be a default route (or another summary route) via H1_ISP1 and H1_MPLS, which by default would be considered valid enough for the SD-WAN rule to select one of those members!

    • To avoid this, we recommend configuring tie-break fib-best-match, to guarantee that only the best route towards 10.0.2.0/24 is considered. Once the new shortcut is available, the best route will be recursively resolved via it, allowing the traffic to switchover smoothly.

    Previous
    Next

    Recommended for ADVPN

    Recommended for ADVPN

    This advanced option is often desirable for the SD-WAN rules controlling the internal (corporate) traffic, because multiple, partially overlapping summary routes are often advertised from different locations.

    But above all, it is recommended for the rules controlling the Spoke-to-Spoke ADVPN traffic. Let's see why.

    Consider a simple SD-WAN rule selecting between the two overlays (in the order of preference): H1_ISP1, H1_MPLS:

    • A new session arrives, destined to 10.0.2.101, which belongs to the LAN prefix 10.0.2.0/24 behind a remote Spoke device, which is advertised using BGP and thus reachable through both of the above overlays.

    • When the H1_ISP1 overlay is selected, and a new ADVPN shortcut H1_ISP1_0 is built over it, this new shortcut is automatically inserted at the head of the preference list:
      [ H1_ISP1_0, H1_ISP1, H1_MPLS ]

    • If, however, the health of the ISP1 link on the remote Spoke is degraded, this will result in this shortcut becoming out of SLA (detected by the ADVPN Shortcut Monitoring feature), and it will move to the end of the list:
      [ H1_ISP1, H1_MPLS, H1_ISP1_0 ]

    • If ADVPN 2.0 is in use, then shortly after this an alternative shortcut should be triggered (for example, an MPLS shortcut).

    • However, while the new shortcut is not available yet, we would like to avoid unnecessary steering towards the Hub tunnels H1_ISP1 and H1_MPLS, which now happen to be at the head of the list.

    • The ADVPN integration with BGP ensures that the best route towards 10.0.2.0/24 is now resolved only via the shortcut H1_ISP1_0. However, similar to the the previous example, there may still be a default route (or another summary route) via H1_ISP1 and H1_MPLS, which by default would be considered valid enough for the SD-WAN rule to select one of those members!

    • To avoid this, we recommend configuring tie-break fib-best-match, to guarantee that only the best route towards 10.0.2.0/24 is considered. Once the new shortcut is available, the best route will be recursively resolved via it, allowing the traffic to switchover smoothly.

    Previous
    Next