Fortinet Document Library

Version:


Table of Contents

7.0.1
Download PDF
Copy Link

What’s new

This section identifies new features and enhancements available with SD-WAN Orchestrator MEA 7.0.0.r3.

For information about what's new in FortiManager 7.0, see the FortiManager 7.0 New Features Guide.

High Availability

SD-WAN Orchestrator MEA now supports high availability (HA) to provide a solution for a key requirement of critical enterprise management and enhanced networking reliability. When two or more FortiManager units are configured in an HA cluster, and SD-WAN Orchestrator MEA is enabled on each FortiManager, and the versions of FortiManager and SD-WAN Orchestrator MEA are the same on the primary unit and secondary units, HA will negotiate successfully and synchronize configuration from primary to secondary.

IPsec VPN connection to third-party devices

SD-WAN Orchestrator MEA supports establishing IPsec tunnels with external VPN gateways. External VPN gateways can be any generic IPsec gateways that are not managed by SD-WAN Orchestrator MEA.

Additional platforms supported

SD-WAN Orchestrator MEA now supports the following FortiGate platforms:

  • FortiGate 200F
  • FortiGate 201F
  • FortiGateRugged 60F
  • FortiGateRugged 60F-3G4G

SD-WAN Orchestrator MEA now supports the following FortiAP platforms:

  • FAP-23JF (FP23JF)
  • FAP-231F (FP231F)
  • FAP-234F (FP234F)
  • FAP-431F (FP431F)
  • FAP-432F (FP432F)
  • FAP-433F (FP433F)
  • FAP-231E (FP231E)

SD-WAN Orchestrator MEA now supports the following FortiSwitch platforms:

  • FortiSwitch 124F
  • FortiSwitch 124F-FPOE
  • FortiSwitch 124F-POE
  • FortiSwitch 148F
  • FortiSwitch 148F-FPOE
  • FortiSwitch 148F-POE
  • FortiSwitch 448E
  • FortiSwitch 448E-FPOE
  • FortiSwitch 448E-POE

Configurable IPsec template for SD-WAN overlay

IPsec template defines configurable parameters when FortiGate devices negotiate IPsec tunnels (overlay links) with other devices.

You can choose the default templates, or create custom templates.

Inject global route to SD-WAN network

This feature uses the router prefix-list configuration to support manually injecting routes learned through OSPF/BGP to global routing.

Enable/disable advertisement of LAN networks via BGP

Previous to SD-WAN Orchestrator MEA 7.0.0.r3, the subnets of LAN/DMZ interfaces, which are not allowed to overlap, are automatically added to BGP network, and the subnets are advertised to other devices. Now you can choose whether to allow subnets to be advertised via BGP.

For LAN on secondary hubs, if the Share Primary Hub Subnet option is switched ON, the Allow Overlap Between Devices option is hidden and switched ON. For such LAN, this option is also shown to allow the subnet of the interface to be advertised via BGP.

Install policy package when first online action is SYNC_CONFIG

In SD-WAN Orchestrator MEA, the First Online Action option has been improved to include policy package installation when FortiGate first comes online. When the First Online Action is SYNC_CONFIG and a proper policy package is selected, this device will automatically install the policy package after it first comes online.

Expose REST API

SD-WAN Orchestrator MEA REST API is now exposed for use.

Before using the REST API, ensure that you set up an administrator account in FortiManager for the API user by using the System Settings module in FortiManager. The administrator account requires permission to the specific ADOM, REST API, and management extension access.

  1. Administrators first use JSON RPC standard and the username and password for the administrator account to log in to the FortiManager API.

    If authentication succeeds, Cookies are sent back.

  2. Administrators send POST requests to https://<fmg_ip>/fortiwan/jsonrpc with FortiManager cookies.

    The request format is similar to FortiManager JSON API, which is based on the JSON RPC standard.

For an introduction to FortiManager JSON API, see the Fortinet Developer Network site at https://fndn.fortinet.net/.

Interface speed test with Network Monitor license

SD-WAN Orchestrator MEA supports WAN port speed test, including manual tests, first online tests, and schedule recurring test with auto-apply. After the speed test, you can click Apply Results to Estimated Bandwidth button to copy the results to Estimated Upstream Bandwidth and Estimated Downstream Bandwidth. If you want to apply this configuration, click OK, and manually synchronize the device.

The following default schedules are available:

  • always
  • default-darrp-optimize
  • none

You cannot delete default schedules, but you can create custom schedules. Go to Configuration > Shared Resources > System > Schedule.

Usability enhancements

  • Support for importing devices when region already exists
  • Support for changing Address&Address Group name to replace device ID with device name

    Address&Address Group name now uses device name rather than device ID. You can view this change in Shared Resources > Intranet Address > IPv4 Address&IPv4 Address Group as well as in business rules panel. You can also view the change in FortiManager by going to Policy & Objects > Object Configurations > Firewall Objects > Addresses

  • Support to change Overlay health check name (SD-WAN Performance SLA) from ID to the device name
  • Support to maintain an address group in FortiManager for all LAN subnets with per-device mappings

GUI enhancements

  • Support for FortiManager GUI Global theme change

    The GUI theme on SD-WAN Orchestrator MEA can now match the GUI theme defined on FortiManager.

  • More information has been added to ADVPN shortcut monitor.
  • FSW/AP topology has been enhanced.
  • IP Pool can be added directly in the LAN port configuration page by using a button.

    Go to Device > Network > Interface > LAN to view the button.

What’s new

This section identifies new features and enhancements available with SD-WAN Orchestrator MEA 7.0.0.r3.

For information about what's new in FortiManager 7.0, see the FortiManager 7.0 New Features Guide.

High Availability

SD-WAN Orchestrator MEA now supports high availability (HA) to provide a solution for a key requirement of critical enterprise management and enhanced networking reliability. When two or more FortiManager units are configured in an HA cluster, and SD-WAN Orchestrator MEA is enabled on each FortiManager, and the versions of FortiManager and SD-WAN Orchestrator MEA are the same on the primary unit and secondary units, HA will negotiate successfully and synchronize configuration from primary to secondary.

IPsec VPN connection to third-party devices

SD-WAN Orchestrator MEA supports establishing IPsec tunnels with external VPN gateways. External VPN gateways can be any generic IPsec gateways that are not managed by SD-WAN Orchestrator MEA.

Additional platforms supported

SD-WAN Orchestrator MEA now supports the following FortiGate platforms:

  • FortiGate 200F
  • FortiGate 201F
  • FortiGateRugged 60F
  • FortiGateRugged 60F-3G4G

SD-WAN Orchestrator MEA now supports the following FortiAP platforms:

  • FAP-23JF (FP23JF)
  • FAP-231F (FP231F)
  • FAP-234F (FP234F)
  • FAP-431F (FP431F)
  • FAP-432F (FP432F)
  • FAP-433F (FP433F)
  • FAP-231E (FP231E)

SD-WAN Orchestrator MEA now supports the following FortiSwitch platforms:

  • FortiSwitch 124F
  • FortiSwitch 124F-FPOE
  • FortiSwitch 124F-POE
  • FortiSwitch 148F
  • FortiSwitch 148F-FPOE
  • FortiSwitch 148F-POE
  • FortiSwitch 448E
  • FortiSwitch 448E-FPOE
  • FortiSwitch 448E-POE

Configurable IPsec template for SD-WAN overlay

IPsec template defines configurable parameters when FortiGate devices negotiate IPsec tunnels (overlay links) with other devices.

You can choose the default templates, or create custom templates.

Inject global route to SD-WAN network

This feature uses the router prefix-list configuration to support manually injecting routes learned through OSPF/BGP to global routing.

Enable/disable advertisement of LAN networks via BGP

Previous to SD-WAN Orchestrator MEA 7.0.0.r3, the subnets of LAN/DMZ interfaces, which are not allowed to overlap, are automatically added to BGP network, and the subnets are advertised to other devices. Now you can choose whether to allow subnets to be advertised via BGP.

For LAN on secondary hubs, if the Share Primary Hub Subnet option is switched ON, the Allow Overlap Between Devices option is hidden and switched ON. For such LAN, this option is also shown to allow the subnet of the interface to be advertised via BGP.

Install policy package when first online action is SYNC_CONFIG

In SD-WAN Orchestrator MEA, the First Online Action option has been improved to include policy package installation when FortiGate first comes online. When the First Online Action is SYNC_CONFIG and a proper policy package is selected, this device will automatically install the policy package after it first comes online.

Expose REST API

SD-WAN Orchestrator MEA REST API is now exposed for use.

Before using the REST API, ensure that you set up an administrator account in FortiManager for the API user by using the System Settings module in FortiManager. The administrator account requires permission to the specific ADOM, REST API, and management extension access.

  1. Administrators first use JSON RPC standard and the username and password for the administrator account to log in to the FortiManager API.

    If authentication succeeds, Cookies are sent back.

  2. Administrators send POST requests to https://<fmg_ip>/fortiwan/jsonrpc with FortiManager cookies.

    The request format is similar to FortiManager JSON API, which is based on the JSON RPC standard.

For an introduction to FortiManager JSON API, see the Fortinet Developer Network site at https://fndn.fortinet.net/.

Interface speed test with Network Monitor license

SD-WAN Orchestrator MEA supports WAN port speed test, including manual tests, first online tests, and schedule recurring test with auto-apply. After the speed test, you can click Apply Results to Estimated Bandwidth button to copy the results to Estimated Upstream Bandwidth and Estimated Downstream Bandwidth. If you want to apply this configuration, click OK, and manually synchronize the device.

The following default schedules are available:

  • always
  • default-darrp-optimize
  • none

You cannot delete default schedules, but you can create custom schedules. Go to Configuration > Shared Resources > System > Schedule.

Usability enhancements

  • Support for importing devices when region already exists
  • Support for changing Address&Address Group name to replace device ID with device name

    Address&Address Group name now uses device name rather than device ID. You can view this change in Shared Resources > Intranet Address > IPv4 Address&IPv4 Address Group as well as in business rules panel. You can also view the change in FortiManager by going to Policy & Objects > Object Configurations > Firewall Objects > Addresses

  • Support to change Overlay health check name (SD-WAN Performance SLA) from ID to the device name
  • Support to maintain an address group in FortiManager for all LAN subnets with per-device mappings

GUI enhancements

  • Support for FortiManager GUI Global theme change

    The GUI theme on SD-WAN Orchestrator MEA can now match the GUI theme defined on FortiManager.

  • More information has been added to ADVPN shortcut monitor.
  • FSW/AP topology has been enhanced.
  • IP Pool can be added directly in the LAN port configuration page by using a button.

    Go to Device > Network > Interface > LAN to view the button.