Fortinet white logo
Fortinet white logo

Administration Guide

VPN Setup Wizard supports device groups

VPN Setup Wizard supports device groups

FortiManager VPN Setup Wizard supports device groups, allowing you to optimize a large number of firewalls as spokes in a VPN community.

When a device group is used in a VPN topology, FortiManager resolves the device group to individual members, and then applies the same logic to generate Phase1/Phase2 information. Keep the following restrictions in mind:

  • VPN Manager only supports the use of device groups for the following hub and spoke topologies: star and dialup.
  • VPN manager only supports the use of device groups for devices in the spoke role.

This document provide a sample configuration of hub and spoke (star topology) with VPN Manager and a device group.

Following is a summary of how to use device groups:

  1. Create device groups. See Creating device groups.
  2. Create protected subnet firewall addresses for hub and spoke devices. See Creating protected subnet firewall addresses.
  3. Create a VPN community. See Creating VPN communities.
  4. Add spoke FortiGate units to the VPN community. See Adding spoke FortiGate units to the VPN community.
  5. Add the hub FortiGate units to the VPN community. See Adding the hub FortiGate unit to the VPN community.

    The hub and spokes are created.

  6. Install VPN configuration and firewall policies to hub and spoke devices. See Installing firewall policies to hub and spoke devices

This topic also covers how to:

Creating device groups

To create device groups:
  1. Go to Device Manager > Device & Groups.
  2. From the Device Group menu, select Create New Group.

    The Create New Device Group dialog box opens.

  3. In the Group Name box, type a name, such as spoke_group.
  4. Click Add Member, and add FortiGate units to the group.

    In this example, we are adding 5 FortiGate units.

  5. Click OK to save the group.

Creating protected subnet firewall addresses

Create protected subnet firewall addresses for hub and spoke devices. VPN Manager can use the protected subnet firewall address to create static routes on FortiGate units to allow traffic destined for the remote protected network to pass through the VPN tunnel.

To create protected subnet firewall addresses:
  1. Go to Policy & Objects > Firewall Objects > Addresses.
  2. From the Create New menu, select Address.

    The Create New Address pane opens.

  3. Create a protected subnet firewall address for the hub FortiGate, and click OK.

  4. From the Create New menu, select Address.

    The Create New Address pane opens.

  5. Create a protected subnet firewall address with per-device mapping for spoke FortiGate units, and click OK.

Creating VPN communities

To create a VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click Create New.

    The VPN Topology Setup Wizard opens.

  2. In the Name box, type a name, such as star.
  3. Under Choose VPN Topology, select Star, and click Next.

  4. Specify the Authentication & Encryption Settings, and click Next.

  5. Configure VPN Phase 1 and Phase 2 settings, and click Next.

Adding spoke FortiGate units to the VPN community

To add spoke FortiGate units to the VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click the community that you created.

    The community opens in the content pane.

  2. Click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens for the community.

  3. Set the Protected Network options, and then click Next:
    1. Beside Protected Subnet, click Click here to select, and select the protected subnet.

  4. Set the Device options, and then click Next:
    1. Beside Role, select Spoke.
    2. Beside Device, select the device group you created named spoke_group.

  5. Set the Default VPN Interface options, and click Next.
    1. Beside Default VPN Interface, select the interface for spokes, which is often the internet-facing interface.

  6. Set the Local Gateway options, and click Next.
    1. Beside Local Gateway, type the IP address for the gateway.

  7. Set the Advanced options, and click OK.
    1. Beside Routing, select Manual (via Device Manager) or Automatic.

Adding the hub FortiGate unit to the VPN community

To add a hub FortiGate unit to the VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click the community that you created.

    The community opens in the content page.

  2. Click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens for the community.

  3. Set the Protected Network options, and then click Next:
    1. Beside Protected Subnet, click Click here to select, and select the protected subnet.

  4. Set the Device options, and then click Next:
    1. Beside Role, select Hub.
    2. Beside Device, select the device for the hub.

  5. Set the Default VPN Interface options, and click Next.
    1. Beside Default VPN Interface, select the interface for the hub, which is often the internet-facing interface.

  6. Set the Local Gateway options, and click Next.
    1. Beside Local Gateway, type the IP address for the gateway.

  7. Set the Advanced options, and click OK.
    1. Beside Routing, select Manual (via Device Manager) or Automatic.

      The hub and spoke are created.

Installing firewall policies to hub and spoke devices

Create firewall policies for hub and spoke FortiGates, and then install the configurations by using the Install Wizard.

To install configurations to hub and spoke devices:
  1. Go to Policy & Object > Policy Packages.
  2. Create firewall policies for hub and spoke FortiGates.

  3. From the Install menu, select Install Wizard.
  4. Select Install Policy Package & Device Settings, and then click Next.

  5. Complete the wizard to install the configurations.

Removing a spoke member from a VPN community

You can remove a spoke member from a VPN community by removing the device from the device group, and then installing the configuration change to the FortiGates.

To remove a spoke member from a VPN community:
  1. Remove the device from the device group:
    1. Go to Device Manager > Device & Groups.
    2. In the tree menu, right-click the group name, and select Edit Group.

      The Edit Device Group dialog box opens.

    3. Select a device, for example, vlan171_0085, and click Remove Member.

    4. Click OK to save the changes.
  2. Execute Policy package installation to purge VPN configuration from FortiGates.

    Install preview page shows that FortiManager will purge the related configuration on the hub FortiGate.

    The Install Preview page shows that FortiManager will delete related configurations on the spoke FortiGate named vlan181_0085.

Adding a spoke member to a VPN community

You can add a spoke member to a VPN community by adding the device to the device group, and then installing the configuration change to the FortiGates.

To add a new spoke member to a VPN community:
  1. Add a device to the device group:
    1. Go to Device Manager > Device & Groups.
    2. In the tree menu, right-click the group name, and select Edit Group.

      The Edit Device Group dialog box opens.

    3. Click Add Member, select the device, for example BranchOffice6, and click Add.
    4. Click OK to save the changes.
  2. Go to VPN manager community summary page, the new spoke member is displayed.

    In the following example, the member named BranchOffice6 is displayed.

  3. Execute Policy package installation to push VPN config to HUB and newly added spoke devices.

    For example, the Install Preview page shows that FortiManager will install IPsec VPN configuration to the new spoke member. In this example, the new spoke member is named BranchOffice6.

VPN Setup Wizard supports device groups

VPN Setup Wizard supports device groups

FortiManager VPN Setup Wizard supports device groups, allowing you to optimize a large number of firewalls as spokes in a VPN community.

When a device group is used in a VPN topology, FortiManager resolves the device group to individual members, and then applies the same logic to generate Phase1/Phase2 information. Keep the following restrictions in mind:

  • VPN Manager only supports the use of device groups for the following hub and spoke topologies: star and dialup.
  • VPN manager only supports the use of device groups for devices in the spoke role.

This document provide a sample configuration of hub and spoke (star topology) with VPN Manager and a device group.

Following is a summary of how to use device groups:

  1. Create device groups. See Creating device groups.
  2. Create protected subnet firewall addresses for hub and spoke devices. See Creating protected subnet firewall addresses.
  3. Create a VPN community. See Creating VPN communities.
  4. Add spoke FortiGate units to the VPN community. See Adding spoke FortiGate units to the VPN community.
  5. Add the hub FortiGate units to the VPN community. See Adding the hub FortiGate unit to the VPN community.

    The hub and spokes are created.

  6. Install VPN configuration and firewall policies to hub and spoke devices. See Installing firewall policies to hub and spoke devices

This topic also covers how to:

Creating device groups

To create device groups:
  1. Go to Device Manager > Device & Groups.
  2. From the Device Group menu, select Create New Group.

    The Create New Device Group dialog box opens.

  3. In the Group Name box, type a name, such as spoke_group.
  4. Click Add Member, and add FortiGate units to the group.

    In this example, we are adding 5 FortiGate units.

  5. Click OK to save the group.

Creating protected subnet firewall addresses

Create protected subnet firewall addresses for hub and spoke devices. VPN Manager can use the protected subnet firewall address to create static routes on FortiGate units to allow traffic destined for the remote protected network to pass through the VPN tunnel.

To create protected subnet firewall addresses:
  1. Go to Policy & Objects > Firewall Objects > Addresses.
  2. From the Create New menu, select Address.

    The Create New Address pane opens.

  3. Create a protected subnet firewall address for the hub FortiGate, and click OK.

  4. From the Create New menu, select Address.

    The Create New Address pane opens.

  5. Create a protected subnet firewall address with per-device mapping for spoke FortiGate units, and click OK.

Creating VPN communities

To create a VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click Create New.

    The VPN Topology Setup Wizard opens.

  2. In the Name box, type a name, such as star.
  3. Under Choose VPN Topology, select Star, and click Next.

  4. Specify the Authentication & Encryption Settings, and click Next.

  5. Configure VPN Phase 1 and Phase 2 settings, and click Next.

Adding spoke FortiGate units to the VPN community

To add spoke FortiGate units to the VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click the community that you created.

    The community opens in the content pane.

  2. Click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens for the community.

  3. Set the Protected Network options, and then click Next:
    1. Beside Protected Subnet, click Click here to select, and select the protected subnet.

  4. Set the Device options, and then click Next:
    1. Beside Role, select Spoke.
    2. Beside Device, select the device group you created named spoke_group.

  5. Set the Default VPN Interface options, and click Next.
    1. Beside Default VPN Interface, select the interface for spokes, which is often the internet-facing interface.

  6. Set the Local Gateway options, and click Next.
    1. Beside Local Gateway, type the IP address for the gateway.

  7. Set the Advanced options, and click OK.
    1. Beside Routing, select Manual (via Device Manager) or Automatic.

Adding the hub FortiGate unit to the VPN community

To add a hub FortiGate unit to the VPN community:
  1. Go to VPN Manager > IPsec VPN Communities, and click the community that you created.

    The community opens in the content page.

  2. Click Create New > Managed Gateway.

    The VPN Gateway Setup Wizard opens for the community.

  3. Set the Protected Network options, and then click Next:
    1. Beside Protected Subnet, click Click here to select, and select the protected subnet.

  4. Set the Device options, and then click Next:
    1. Beside Role, select Hub.
    2. Beside Device, select the device for the hub.

  5. Set the Default VPN Interface options, and click Next.
    1. Beside Default VPN Interface, select the interface for the hub, which is often the internet-facing interface.

  6. Set the Local Gateway options, and click Next.
    1. Beside Local Gateway, type the IP address for the gateway.

  7. Set the Advanced options, and click OK.
    1. Beside Routing, select Manual (via Device Manager) or Automatic.

      The hub and spoke are created.

Installing firewall policies to hub and spoke devices

Create firewall policies for hub and spoke FortiGates, and then install the configurations by using the Install Wizard.

To install configurations to hub and spoke devices:
  1. Go to Policy & Object > Policy Packages.
  2. Create firewall policies for hub and spoke FortiGates.

  3. From the Install menu, select Install Wizard.
  4. Select Install Policy Package & Device Settings, and then click Next.

  5. Complete the wizard to install the configurations.

Removing a spoke member from a VPN community

You can remove a spoke member from a VPN community by removing the device from the device group, and then installing the configuration change to the FortiGates.

To remove a spoke member from a VPN community:
  1. Remove the device from the device group:
    1. Go to Device Manager > Device & Groups.
    2. In the tree menu, right-click the group name, and select Edit Group.

      The Edit Device Group dialog box opens.

    3. Select a device, for example, vlan171_0085, and click Remove Member.

    4. Click OK to save the changes.
  2. Execute Policy package installation to purge VPN configuration from FortiGates.

    Install preview page shows that FortiManager will purge the related configuration on the hub FortiGate.

    The Install Preview page shows that FortiManager will delete related configurations on the spoke FortiGate named vlan181_0085.

Adding a spoke member to a VPN community

You can add a spoke member to a VPN community by adding the device to the device group, and then installing the configuration change to the FortiGates.

To add a new spoke member to a VPN community:
  1. Add a device to the device group:
    1. Go to Device Manager > Device & Groups.
    2. In the tree menu, right-click the group name, and select Edit Group.

      The Edit Device Group dialog box opens.

    3. Click Add Member, select the device, for example BranchOffice6, and click Add.
    4. Click OK to save the changes.
  2. Go to VPN manager community summary page, the new spoke member is displayed.

    In the following example, the member named BranchOffice6 is displayed.

  3. Execute Policy package installation to push VPN config to HUB and newly added spoke devices.

    For example, the Install Preview page shows that FortiManager will install IPsec VPN configuration to the new spoke member. In this example, the new spoke member is named BranchOffice6.