Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.4.0 Administration Guide
    7.4.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Objects and templates created by the SD-WAN overlay template

    Objects and templates created by the SD-WAN overlay template

    The SD-WAN overlay wizard automatically creates templates and objects required for deployment of SD-WAN in your environment. Generated templates and objects are assigned to the hub(s) specified by the template, and branch devices are identified by membership in the specified device group. See Configuring an SD-WAN overlay template.

    The following template and objects are created by the SD-WAN overlay template wizard:

    • IPsec templates
    • BGP templates
    • SD-WAN template configuration
    • CLI templates
    • Templates groups
    • Metadata variables

    The SD-WAN overlay template wizard also configures the SD-WAN overlay network. The default overlay network used by the wizard is 10.10.0.0, but this can be configured for your environment. The number of subnets created from the overlay network depends on the number of overlays and hubs that are configured.

    Below details the various templates and associated components that are defined in dual-hub and single-hub deployment scenarios.

    Dual-hub deployments

    Category

    Templates and Objects

    IPsec Templates

    The following IPsec templates are created for configuration of IPsec in your SD-WAN environment:

    • BRANCH_IPsec: The IPsec template for IPsec tunnels for branch devices. This template includes the following IPsec tunnels to allow connection from branch devices to the hubs through VPN1 and VPN2: HUB1-VPN1, HUB1-VPN2, HUB2-VPN1, and HUB2-VPN2.
    • HUB1_IPsec: The IPsec template created for hub 1. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from hub 1 to branch devices.
    • HUB2_IPsec: The IPsec template created for hub 2. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from hub 2 to branch devices.

    BGP Templates

    The following BGP templates are created for configuration of BGP in your SD-WAN environment:

    • BRANCH_BGP:The BGP template generated for your SD-WAN branch devices. This template uses the branch_id metadata variable to configure the Router ID for each branch device.
    • HUB1_BGP: The BGP template created for hub 1.
    • HUB2_BGP: The BGP template created for hub 2.

    SD-WAN Template configurations

    The following SD-WAN zones/members and health check servers are configured for the SD-WAN template specified in the wizard.

    • SD-WAN Zone/Interface Member: WAN1/port1, WAN2/port2, HUB1/HUB1-VPN1 and HUB1-VPN2, HUB2/HUB2-VPN1 and HUB2-VPN2
    • Performance SLA: HUB1_HC and HUB2_HC
    Note

    These settings are only applied when the Add Overlay Objects to SD-WAN Template option is enabled in the wizard.

    CLI Templates

    The following CLI templates are created to configure the device interfaces and BGP router ID.

    • BRANCH_CLI: Configure the interface and BGP router id for branch devices. This template uses metadata variables to configure unique values for each branch device. This template is added to the BRANCH_CLIGRP template group.
    • HUB1_CLI: Configure the HUB1-Lo interface on the hub 1 device. This template is added to the HUB1_CLIGRP template group.
    • HUB2_CLI: Configure the HUB2-Lo interface on the hub 2 device. This template is added to the HUB2_CLIGRP template group.

    Template Groups

    A template group is created for hub and branch devices. These template groups include the provisioning templates created by the SD-WAN overlay template wizard for that device.

    • HUB1: Includes provisioning templates for the hub 1 device.
    • HUB2: Includes provisioning templates for the hub 2 device.
    • BRANCH: Includes provisioning templates for branch devices. This template is automatically applied to all devices included in the branch device group specified in the wizard.

    For information about onboarding new branch devices using template groups, see Onboarding new branch devices

    Metadata Variables

    ADOM-level metadata variables are used as variables in scripts and templates.

    • branch_id: The branch_id variable is automatically created by the template. Each branch device must be assigned a unique value. The branch_id metadata variable is used in branch provisioning templates to configure certain settings, such as the BGP router ID. When Automatic Branch ID Assignment setting is enabled in the wizard, the branch ID is automatically applied to devices in the branch device group. See Automatic Branch ID Assignment.

    Normalized Interfaces

    When normalized interfaces is enabled in the template, the following normalized interfaces are created:

    • HUB-Lo with the following per-device mapping:
      • HUB1-Lo for HUB1.
      • HUB2-Lo for HUB2 (dual-HUB topology).
    • HUB1 SD-WAN zone mapped per-platform to HUB1.
    • HUB2 SD-WAN zone mapped per-platform to HUB2 (dual-HUB topology).
    • Normalized interfaces for VPN IPsec tunnel templates created by the wizard are added to the normalized interface list as VPN1/VPN2.
    Single-hub deployments

    Category

    Templates and Objects

    IPsec Templates

    The following IPsec templates are created for configuration of IPsec in your SD-WAN environment:

    • BRANCH_IPsec: The IPsec template for IPsec tunnels for branch devices. This template includes the following IPsec tunnels to allow connection from branch devices to the hubs through VPN1 and VPN2: HUB1-VPN1 and HUB1-VPN2.
    • HUB1_IPsec: The IPsec template created for the hub. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from the hub to branch devices.

    BGP Templates

    The following BGP templates are created for configuration of BGP in your SD-WAN environment:

    • BRANCH_BGP:The BGP template generated for your SD-WAN branch devices. This template uses the branch_id metadata variable to configure the Router ID for each branch device.
    • HUB1_BGP: The BGP template created for the hub.

    SD-WAN Template configurations

    The following SD-WAN zones/members and health check servers are configured for the SD-WAN template specified in the wizard.

    • SD-WAN Zone/Interface Member: WAN1/port1, WAN2/port2, HUB1/HUB1-VPN1 and HUB1-VPN2.
    • Performance SLA: HUB1_HC.
    Note

    These settings are only applied when the Add Overlay Objects to SD-WAN Template option is enabled in the wizard.

    CLI Templates

    The following CLI templates are created to configure the device interfaces and BGP router ID.

    • BRANCH_CLI: Configure the interface and BGP router id for branch devices. This template uses metadata variables to configure unique values for each branch device. This template is added to the BRANCH_CLIGRP template group.
    • HUB1_CLI: Configure the HUB1-Lo interface on the hub device. This template is added to the HUB1_CLIGRP template group.

    Template Groups

    A template group is created for hub and branch devices. These template groups include the provisioning templates created by the SD-WAN overlay template wizard for that device.

    • HUB1: Includes provisioning templates for the hub 1 device.
    • BRANCH: Includes provisioning templates for branch devices. The template is automatically applied to all devices included in the branch device group selected in the wizard.

    For information about onboarding new branch devices using template groups, see Onboarding new branch devices

    Metadata Variables

    ADOM-level metadata variables are used as variables in scripts and templates.

    • branch_id: The branch_id variable is automatically created by the template. Each branch device must be assigned a unique value. The branch_id metadata variable is used in branch provisioning templates to configure certain settings, such as the BGP router ID. When Automatic Branch ID Assignment setting is enabled in the wizard, the branch ID is automatically applied to devices in the branch device group. See Automatic Branch ID Assignment.

    Normalized Interfaces

    When normalized interfaces is enabled in the template, the following normalized interfaces are created:

    • HUB-Lo with the following per-device mapping: HUB1-Lo for HUB1.
    • HUB1 SD-WAN zone mapped per-platform to HUB1.
    • Normalized interfaces for VPN IPsec tunnel templates created by the wizard are added to the normalized interface list as VPN1/VPN2.
    Previous
    Next

    Objects and templates created by the SD-WAN overlay template

    Objects and templates created by the SD-WAN overlay template

    The SD-WAN overlay wizard automatically creates templates and objects required for deployment of SD-WAN in your environment. Generated templates and objects are assigned to the hub(s) specified by the template, and branch devices are identified by membership in the specified device group. See Configuring an SD-WAN overlay template.

    The following template and objects are created by the SD-WAN overlay template wizard:

    • IPsec templates
    • BGP templates
    • SD-WAN template configuration
    • CLI templates
    • Templates groups
    • Metadata variables

    The SD-WAN overlay template wizard also configures the SD-WAN overlay network. The default overlay network used by the wizard is 10.10.0.0, but this can be configured for your environment. The number of subnets created from the overlay network depends on the number of overlays and hubs that are configured.

    Below details the various templates and associated components that are defined in dual-hub and single-hub deployment scenarios.

    Dual-hub deployments

    Category

    Templates and Objects

    IPsec Templates

    The following IPsec templates are created for configuration of IPsec in your SD-WAN environment:

    • BRANCH_IPsec: The IPsec template for IPsec tunnels for branch devices. This template includes the following IPsec tunnels to allow connection from branch devices to the hubs through VPN1 and VPN2: HUB1-VPN1, HUB1-VPN2, HUB2-VPN1, and HUB2-VPN2.
    • HUB1_IPsec: The IPsec template created for hub 1. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from hub 1 to branch devices.
    • HUB2_IPsec: The IPsec template created for hub 2. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from hub 2 to branch devices.

    BGP Templates

    The following BGP templates are created for configuration of BGP in your SD-WAN environment:

    • BRANCH_BGP:The BGP template generated for your SD-WAN branch devices. This template uses the branch_id metadata variable to configure the Router ID for each branch device.
    • HUB1_BGP: The BGP template created for hub 1.
    • HUB2_BGP: The BGP template created for hub 2.

    SD-WAN Template configurations

    The following SD-WAN zones/members and health check servers are configured for the SD-WAN template specified in the wizard.

    • SD-WAN Zone/Interface Member: WAN1/port1, WAN2/port2, HUB1/HUB1-VPN1 and HUB1-VPN2, HUB2/HUB2-VPN1 and HUB2-VPN2
    • Performance SLA: HUB1_HC and HUB2_HC
    Note

    These settings are only applied when the Add Overlay Objects to SD-WAN Template option is enabled in the wizard.

    CLI Templates

    The following CLI templates are created to configure the device interfaces and BGP router ID.

    • BRANCH_CLI: Configure the interface and BGP router id for branch devices. This template uses metadata variables to configure unique values for each branch device. This template is added to the BRANCH_CLIGRP template group.
    • HUB1_CLI: Configure the HUB1-Lo interface on the hub 1 device. This template is added to the HUB1_CLIGRP template group.
    • HUB2_CLI: Configure the HUB2-Lo interface on the hub 2 device. This template is added to the HUB2_CLIGRP template group.

    Template Groups

    A template group is created for hub and branch devices. These template groups include the provisioning templates created by the SD-WAN overlay template wizard for that device.

    • HUB1: Includes provisioning templates for the hub 1 device.
    • HUB2: Includes provisioning templates for the hub 2 device.
    • BRANCH: Includes provisioning templates for branch devices. This template is automatically applied to all devices included in the branch device group specified in the wizard.

    For information about onboarding new branch devices using template groups, see Onboarding new branch devices

    Metadata Variables

    ADOM-level metadata variables are used as variables in scripts and templates.

    • branch_id: The branch_id variable is automatically created by the template. Each branch device must be assigned a unique value. The branch_id metadata variable is used in branch provisioning templates to configure certain settings, such as the BGP router ID. When Automatic Branch ID Assignment setting is enabled in the wizard, the branch ID is automatically applied to devices in the branch device group. See Automatic Branch ID Assignment.

    Normalized Interfaces

    When normalized interfaces is enabled in the template, the following normalized interfaces are created:

    • HUB-Lo with the following per-device mapping:
      • HUB1-Lo for HUB1.
      • HUB2-Lo for HUB2 (dual-HUB topology).
    • HUB1 SD-WAN zone mapped per-platform to HUB1.
    • HUB2 SD-WAN zone mapped per-platform to HUB2 (dual-HUB topology).
    • Normalized interfaces for VPN IPsec tunnel templates created by the wizard are added to the normalized interface list as VPN1/VPN2.
    Single-hub deployments

    Category

    Templates and Objects

    IPsec Templates

    The following IPsec templates are created for configuration of IPsec in your SD-WAN environment:

    • BRANCH_IPsec: The IPsec template for IPsec tunnels for branch devices. This template includes the following IPsec tunnels to allow connection from branch devices to the hubs through VPN1 and VPN2: HUB1-VPN1 and HUB1-VPN2.
    • HUB1_IPsec: The IPsec template created for the hub. This template includes the IPsec tunnels VPN1 and VPN2 to allow secure communication from the hub to branch devices.

    BGP Templates

    The following BGP templates are created for configuration of BGP in your SD-WAN environment:

    • BRANCH_BGP:The BGP template generated for your SD-WAN branch devices. This template uses the branch_id metadata variable to configure the Router ID for each branch device.
    • HUB1_BGP: The BGP template created for the hub.

    SD-WAN Template configurations

    The following SD-WAN zones/members and health check servers are configured for the SD-WAN template specified in the wizard.

    • SD-WAN Zone/Interface Member: WAN1/port1, WAN2/port2, HUB1/HUB1-VPN1 and HUB1-VPN2.
    • Performance SLA: HUB1_HC.
    Note

    These settings are only applied when the Add Overlay Objects to SD-WAN Template option is enabled in the wizard.

    CLI Templates

    The following CLI templates are created to configure the device interfaces and BGP router ID.

    • BRANCH_CLI: Configure the interface and BGP router id for branch devices. This template uses metadata variables to configure unique values for each branch device. This template is added to the BRANCH_CLIGRP template group.
    • HUB1_CLI: Configure the HUB1-Lo interface on the hub device. This template is added to the HUB1_CLIGRP template group.

    Template Groups

    A template group is created for hub and branch devices. These template groups include the provisioning templates created by the SD-WAN overlay template wizard for that device.

    • HUB1: Includes provisioning templates for the hub 1 device.
    • BRANCH: Includes provisioning templates for branch devices. The template is automatically applied to all devices included in the branch device group selected in the wizard.

    For information about onboarding new branch devices using template groups, see Onboarding new branch devices

    Metadata Variables

    ADOM-level metadata variables are used as variables in scripts and templates.

    • branch_id: The branch_id variable is automatically created by the template. Each branch device must be assigned a unique value. The branch_id metadata variable is used in branch provisioning templates to configure certain settings, such as the BGP router ID. When Automatic Branch ID Assignment setting is enabled in the wizard, the branch ID is automatically applied to devices in the branch device group. See Automatic Branch ID Assignment.

    Normalized Interfaces

    When normalized interfaces is enabled in the template, the following normalized interfaces are created:

    • HUB-Lo with the following per-device mapping: HUB1-Lo for HUB1.
    • HUB1 SD-WAN zone mapped per-platform to HUB1.
    • Normalized interfaces for VPN IPsec tunnel templates created by the wizard are added to the normalized interface list as VPN1/VPN2.
    Previous
    Next