Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Deployment overview

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:891466
Download PDF

Deployment overview

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub or involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. After configuring FortiSASE to communicate with this hub, the FortiSASE security points of presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and internal border gateway protocol to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

For a list of product prerequisites, see SPA using a FortiSASE SPA hub.

A typical topology for deploying this example design is as follows:

FortiSASE PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

FortiSASE supports these main routing design methods:

This deployment guide describes how to configure a new FortiGate NGFW deployment to convert it to become a FortiSASE SPA standalone hub with no spokes and covers the cases when you configure the newly deployed FortiGate NGFW using the FortiOS CLI or GUI, or FortiManager manages the FortiGate NGFW. After performing the conversion steps and subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For deployment details for the existing SD-WAN SPA use case, see the 4-D FortiSASE SPA with a FortiGate SD-WAN Deployment Guide instead of this guide.

For the FortiGate NGFW SPA use case running FortiOS 7.2.4 and above, you can use the Fabric Overlay Orchestrator feature to convert the NGFW to a standalone IPsec VPN hub. For deployment details, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion using Fabric Overlay Orchestrator Deployment Guide (FortiOS 7.2.4+, 7.4.0+).

Intended audience

Midlevel network and security administrators of FortiGate NGFW devices in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a FortiGate NGFW converted to a FortiSASE SPA hub.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub or involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. After configuring FortiSASE to communicate with this hub, the FortiSASE security points of presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and internal border gateway protocol to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

For a list of product prerequisites, see SPA using a FortiSASE SPA hub.

A typical topology for deploying this example design is as follows:

FortiSASE PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

FortiSASE supports these main routing design methods:

This deployment guide describes how to configure a new FortiGate NGFW deployment to convert it to become a FortiSASE SPA standalone hub with no spokes and covers the cases when you configure the newly deployed FortiGate NGFW using the FortiOS CLI or GUI, or FortiManager manages the FortiGate NGFW. After performing the conversion steps and subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For deployment details for the existing SD-WAN SPA use case, see the 4-D FortiSASE SPA with a FortiGate SD-WAN Deployment Guide instead of this guide.

For the FortiGate NGFW SPA use case running FortiOS 7.2.4 and above, you can use the Fabric Overlay Orchestrator feature to convert the NGFW to a standalone IPsec VPN hub. For deployment details, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion using Fabric Overlay Orchestrator Deployment Guide (FortiOS 7.2.4+, 7.4.0+).

Intended audience

Midlevel network and security administrators of FortiGate NGFW devices in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a FortiGate NGFW converted to a FortiSASE SPA hub.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.