Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multiple Datacenters for Enterprise (primary/secondary)

    Home FortiManager 7.4.0 Multiple Datacenters for Enterprise (primary/secondary)
    7.4.0
    7.4.0
    7.2.0

    ADVPN

    ADVPN

    Following is a summary of enabling ADVPN:

    1. Enable ADVPN in the SD-WAN Overlay template. See Enabling ADVPN

    2. Edit the SD-WAN rules in the SD-WAN template. See Editing branch SD-WAN template

    3. Edit the Branches policy package. See Editing branch policy package

    4. Install the policy packages to both Branches and Hub. See Install the policy packages to both Branches and Hub

    Enabling ADVPN

    Edit an existing SD-WAN overlay template to enable ADVPN, which automatically adds the required settings to the IPsec template and the BGP template.

    To enable ADVPN:

    1. Go to Device Manager > Provisioning templates > SD-WAN Overlay Template, and double-click the SD-WAN Overlay template created earlier.

    2. Expand the Advanced menu, and enable the Auto-Discovery VPN toggle.

    3. Click Next five (5) times to complete the wizard.

      The required settings are added to the IPsec template and BGP template.

    Editing branch SD-WAN template

    Edit the branch SD-WAN template to add Branch_LAN as a destination address for the Corporate_Traffic rule.

    To edit the branches template:

    1. Go to Device Manager > Provisioning Templates > SD-WAN, and double-click the branch SDWAN template to open it for editing.

    2. In the SD-WAN Rules section, double-click the Corporate_Traffic rule to open it for editing.

    3. Under Destination, add Branch_LAN as a destination address (in addition to the Datacenter LAN1 subnet).

    4. Click OK to save the rule, then OK to save the template.

    Editing branch policy package

    Edit the branch policy package to add Branch_LAN as a destination address for the Branch to DC rule. Rename the rule to Branch to Corporate.

    To edit the branches policy package:

    1. Go to Policy & Objects > Policy Packages, and expand Branches to click on Firewall Policy.

    2. Edit the Branch to DC rule.

    3. Change the name from Branch to DC to Branch to Corporate.

    4. Under Destination, add the Branch-LAN address object.

    5. Click OK to save.

    Install the policy packages to both Branches and Hub

    To install the config to branch devices:

    1. From the top menu bar, select Install Wizard.

    2. Ensure Branches is selected for Policy Package, then click Next.

    3. Once the validation passes, select Install.

    4. Once install completes, select Finish.

    To install the config to the hub:

    1. From the top menu bar, select Install Wizard.

    2. Ensure HUB is selected for Policy Package, then click Next.

    3. Once the validation passes, select Install.

    4. Once install completes, select Finish.

    Verifying the ADVPN configuration

    To verify the ADVPN configuration, initiate an ADVPN shortcut by sending traffic from one branch LAN to another.

    10.1.1.10@Branch1:~$ ping 10.1.2.10
64 bytes from 10.1.2.10: icmp_seq=1 ttl 61 time 39.8 ms
64 bytes from 10.1.2.10: icmp_seq=2 ttl 62 time 23.8 ms
64 bytes from 10.1.2.10: icmp_seq=3 ttl 62 time 23.4 ms
64 bytes from 10.1.2.10: icmp_seq=4 ttl 62 time 23.3 ms

    The first ping from 10.1.1.10 to 10.1.2.10 is routed through the HUB to branch2 with a latency of 40ms and a TTL of 61. After the initial ping, the shortcut is formed and the remaining pings are sent directly from branch1 to branch2.

    This can be confirmed through the FortiManager VPN monitor as follows:

    1. On FortiManager, navigate to Device Manager > Monitors.

    2. From the top menu bar, select VPN Monitor.

    3. A map will open, showing the branch and HUB device VPN tunnels.

      Notice how there is a VPN tunnel between the two branches at Fort Worth and Atlanta. This tunnel is significantly shorter than those going from Br1/2 to the HUB.

      Enable the Show Table slider in the top left of the VPN monitor window to display a table showing the details for each FortiGate’s VPN tunnel. The ADVPN tunnel is highlighted.

    Previous
    Next

    ADVPN

    ADVPN

    Following is a summary of enabling ADVPN:

    1. Enable ADVPN in the SD-WAN Overlay template. See Enabling ADVPN

    2. Edit the SD-WAN rules in the SD-WAN template. See Editing branch SD-WAN template

    3. Edit the Branches policy package. See Editing branch policy package

    4. Install the policy packages to both Branches and Hub. See Install the policy packages to both Branches and Hub

    Enabling ADVPN

    Edit an existing SD-WAN overlay template to enable ADVPN, which automatically adds the required settings to the IPsec template and the BGP template.

    To enable ADVPN:

    1. Go to Device Manager > Provisioning templates > SD-WAN Overlay Template, and double-click the SD-WAN Overlay template created earlier.

    2. Expand the Advanced menu, and enable the Auto-Discovery VPN toggle.

    3. Click Next five (5) times to complete the wizard.

      The required settings are added to the IPsec template and BGP template.

    Editing branch SD-WAN template

    Edit the branch SD-WAN template to add Branch_LAN as a destination address for the Corporate_Traffic rule.

    To edit the branches template:

    1. Go to Device Manager > Provisioning Templates > SD-WAN, and double-click the branch SDWAN template to open it for editing.

    2. In the SD-WAN Rules section, double-click the Corporate_Traffic rule to open it for editing.

    3. Under Destination, add Branch_LAN as a destination address (in addition to the Datacenter LAN1 subnet).

    4. Click OK to save the rule, then OK to save the template.

    Editing branch policy package

    Edit the branch policy package to add Branch_LAN as a destination address for the Branch to DC rule. Rename the rule to Branch to Corporate.

    To edit the branches policy package:

    1. Go to Policy & Objects > Policy Packages, and expand Branches to click on Firewall Policy.

    2. Edit the Branch to DC rule.

    3. Change the name from Branch to DC to Branch to Corporate.

    4. Under Destination, add the Branch-LAN address object.

    5. Click OK to save.

    Install the policy packages to both Branches and Hub

    To install the config to branch devices:

    1. From the top menu bar, select Install Wizard.

    2. Ensure Branches is selected for Policy Package, then click Next.

    3. Once the validation passes, select Install.

    4. Once install completes, select Finish.

    To install the config to the hub:

    1. From the top menu bar, select Install Wizard.

    2. Ensure HUB is selected for Policy Package, then click Next.

    3. Once the validation passes, select Install.

    4. Once install completes, select Finish.

    Verifying the ADVPN configuration

    To verify the ADVPN configuration, initiate an ADVPN shortcut by sending traffic from one branch LAN to another.

    10.1.1.10@Branch1:~$ ping 10.1.2.10
64 bytes from 10.1.2.10: icmp_seq=1 ttl 61 time 39.8 ms
64 bytes from 10.1.2.10: icmp_seq=2 ttl 62 time 23.8 ms
64 bytes from 10.1.2.10: icmp_seq=3 ttl 62 time 23.4 ms
64 bytes from 10.1.2.10: icmp_seq=4 ttl 62 time 23.3 ms

    The first ping from 10.1.1.10 to 10.1.2.10 is routed through the HUB to branch2 with a latency of 40ms and a TTL of 61. After the initial ping, the shortcut is formed and the remaining pings are sent directly from branch1 to branch2.

    This can be confirmed through the FortiManager VPN monitor as follows:

    1. On FortiManager, navigate to Device Manager > Monitors.

    2. From the top menu bar, select VPN Monitor.

    3. A map will open, showing the branch and HUB device VPN tunnels.

      Notice how there is a VPN tunnel between the two branches at Fort Worth and Atlanta. This tunnel is significantly shorter than those going from Br1/2 to the HUB.

      Enable the Show Table slider in the top left of the VPN monitor window to display a table showing the details for each FortiGate’s VPN tunnel. The ADVPN tunnel is highlighted.

    Previous
    Next