Configuring an SD-WAN overlay template
The SD-WAN overlay template wizard guides you through deployment of SD-WAN overlays in your network. After the configuration of the template is finished, multiple provisioning templates are generated for use in your SD-WAN environment.
The SD-WAN overlay template wizard can be run again to re-generate the provisioning templates later if required. See Editing the SD-WAN overlay template. |
To create an SD-WAN overlay template:
- Go to Device Manager > Provisioning Templates > SD-WAN Overlay Templates.
- Click Create New.
The Create New SD-WAN Overlay Template wizard opens. - Enter a name and description for the new SD-WAN overlay template, and click OK.
- For the Region Settings, configure the following settings and click Next.
Select New Topology Select a topology type based on your environment. Topologies include the following:
- Single Hub
- Dual Hub (Primary/Secondary)
- Dual Hub (Primary/Primary)
The options presented in the wizard change based on the topology selected.
Primary/Secondary and Primary/Primary are the same configuration, with the difference being that in a Primary/Secondary deployment, the Secondary hub is given a higher cost than the Primary. This cost is controlled by the SDWAN rule.
Advanced
Expand to view additional configurable settings.
These fields are preconfigured with settings that will work in many situations, but you may need to adjust these to match your own networking environment. They should match the addresses you identified when considering the SD-WAN overlay template prerequisites. SeeTemplate prerequisites and network planning .
Loopback IP Address
Optionally, you can configure the loopback IP address.
By default, this setting is set to
172.16.0.0/255.255.0.0
.Overlay Network
Optionally, you can configure the overlay network.
By default, this setting is set to
10.10.0.0/255.255.0.0
.BGP-AS Number
Optionally, you can configure the BGP AS number.
By default, this setting is set to
65000
.Auto-Discovery VPN
Optionally, you can toggle this setting ON to enable Auto Discovery VPN (ADVPN).
- For the Role Assignment, configure the following settings and click Next.
Topology Optionally, you can change the topology type that you selected on the previous screen. Hub Select the SD-WAN hubs. The number of hubs required depend on the topology selected:
- Single Hub: One standalone hub.
- Dual Hub (Primary & Secondary): One primary and one secondary hub.
- Dual Hub (Primary & Primary): Two primary hubs.
Hub devices must be added to FortiManager before creating the SD-WAN overlay template.
Branch Device Group Assignment
Select the device group containing your SD-WAN branch devices.
Devices included in this device group are configured as SD-WAN branch devices as a part of this template.
Additional devices can be added to the selected device group later to receive the SD-WAN branch configuration when performing an installation on that device. This simplifies the onboarding of new branch devices. See Onboarding new branch devices.
Enable to automatically assign a branch ID to each device in the branch device group. This will also apply to devices added to the branch device group in the future, as well as those added to the device group using a zero-touch provisioning device blueprint.
Branch ID values are between one and the maximum number allowed by the subnet. For example, the default 10.10.0.0/255.255.0.0 overlay network uses the /19 subnet when your setup includes 5 - 8 overlays. The maximum allowed branch IDs in this range is 8190 based on the maximum number of number of usable IPs/FortiGates supported per overlay. See SD-WAN overlay template IP network design.
When this setting is not enabled, you must manually configure the branch ID for each branch device.
- For the Network Configuration, configure the following settings and click Next.
Hub Configure the network settings for each hub in your configuration. The number and types of hubs present depend on the topology you selected.
WAN Underlay
Type the interfaces for each WAN underlay. You can add additional WAN underlays by clicking the add icon.
For each WAN underlay, you can optionally enable the following settings:
- Private Link: No overlays will be created on private links.
- Override IP: Override the IP address for the WAN underlay with the provided IP address. This option is not available when Private Link is enabled.
Network Advertisement
- Configure network advertisement for the hub. Network advertisement can be set to one of the following:
- Connected: Type the network interface to advertise. Additional interfaces can be added by clicking the add icon.
- Static: Type the network prefix to advertise. Additional network prefixes can be added by clicking the add icon.
Advanced
Expand to view advanced settings, including configuration of SD-WAN neighbors.
Click Neighbors > Create New to add a new SD-WAN neighbor for the hub.
Branch Route Maps
Optionally, move the toggle to the ON position to enable branch maps, and then select the corresponding route map. You can create a new route map by clicking the add icon, or select one of the default route maps.
See also Using preconfigured route maps for self-healing with BGP.
Branch
Configure the network settings for the branch devices in your configuration.
WAN Underlay
Type the interfaces for the SD-WAN branch WAN underlay. You can add additional WAN underlays by clicking the add icon.
For each WAN underlay, you can optionally enable the following settings:
- Private Link: No overlays will be created on private links.
Network Advertisement
Configure network advertisement for the branch. Network advertisement can be set to one of the following:
- Connected: Type the network interface to advertise. Additional interfaces can be added by clicking the add icon.
- Static: Type the network prefix to advertise. Additional network prefixes can be added by clicking the add icon.
Advanced
Expand to view advanced settings, including configuration of route maps for hub overlays. You can apply the route map settings to all hub overlays or specify them individually.
See also Using preconfigured route maps for self-healing with BGP.
- For the Template Options, configure the following settings and click Next.
Add Overlay Objects to SD-WAN Template
Toggle this setting ON to automatically add the overlay objects configured by this template to a new or existing SD-WAN template.
Select an existing SD-WAN template or click the add icon to create a new SD-WAN template. See SD-WAN templates.
Add Overlay Interfaces and Zones You can toggle this setting ON to add overlay interfaces and zones. Add Healthcheck Servers for Each HUB as Performance SLA You can toggle this setting ON to add health check servers for each hub as performance SLAs. Normalize Interfaces
Enable this setting to automatically normalize the SD-WAN zones created by the template.
The template creates the following normalized interfaces:
- HUB-Lo with the following per-device mapping:
- HUB1-Lo for HUB1.
- HUB2-Lo for HUB2 (dual-HUB topology).
- HUB1 SD-WAN zone mapped per-platform to HUB1.
- HUB2 SD-WAN zone mapped per-platform to HUB2 (dual-HUB topology).
- Normalized interfaces for VPN IPsec tunnel templates created by the wizard are added to the normalized interface list as VPN1/VPN2.
Add Health Check Firewall Policy to HUB/Branch Policy Package
Enable this setting to automatically create health check firewall policies and policy blocks for HUBs and branches. When enabled, you must select a new or existing policy package. Based on the selection, firewall policies and policy blocks are created to allow SLA health checks to each device loopback.
- HUB-Lo with the following per-device mapping:
- The summary window displays a summary of the SD-WAN overlay configurations that will be created by this template. When you click Finish, multiple provisioning templates are created based on the information you provided. The templates are automatically assigned to the devices specified by the wizard.
- Once complete, you can continue to deploy the SD-WAN provisioning templates in your environment. See Using the SD-WAN overlay template.
Using preconfigured route maps for self-healing with BGP
Preconfigured route maps are available for selection in the SD-WAN overlay template to take advantage of SD-WAN self-healing using BGP.
FortiManager includes the following preconfigured route maps:
- Hubs: RM-VPN-Priority.
- Branches: Priority_1, Priority_2, Priority_3, Priority_4, and Priority_999 (used as a catch all).
Hubs are automatically configured with five communities, with a corresponding route map matched to each community. Each route map will advertise a given community based on the SD-WAN overlay template AS. Based on the advertised community from the branch, the priority value will determine the preferred routing. For example, the priority_1 route is preferred over priority_2.