Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

    Home FortiSASE NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

    Configuring a root FortiGate using the Fabric Overlay Orchestrator

    Configuring a root FortiGate using the Fabric Overlay Orchestrator

    These steps describe how to run the Fabric Overlay Orchestrator on the root FortiGate.

    To configure a root FortiGate using the Fabric Overlay Orchestrator:
    1. Go to VPN > Fabric Overlay Orchestrator.
    2. Set Status to Enabled. The Role is automatically selected depending on the FortiGate device’s role in the Fortinet Security Fabric. When configuring the root FortiGate, confirm the Role is Hub. The Fabric root must always be the hub. For Policy Creation, select Automatic. Click Next.

    3. For Overlay, select one or more interfaces as the Incoming interface or the underlay link over which the VPN overlay will be built, configure the Pre-shared key, and click Next. The example selects two incoming interfaces:

    4. For Local Network, configure routing and local subnets to share with the VPN network, namely, the BGP AS, loopback address block, and shared interfaces settings:

      Option

      Description

      BGP AS

      Optionally, you can configure the BGP AS number.

      By default, this setting is set to 65400.

      Loopback address block

      Optionally, you can configure the loopback IP address.

      By default, this setting is set to 10.20.1.1/255.255.255.0.

      Shared interfaces

      Select the interface of the local network to share with the VPN network

      Click Next.

    5. For the first Summary step, review the configured settings and click Apply.
    6. For the second Summary step, observe that the following settings have been created as follows:

      Option

      Description

      SD-WAN Zone

      Status > SD-WAN zone. In the example, this is fabric_vpn_sdwan.

      VPN Tunnels

      Overlay > Incoming interface > Phase 1 Interface. In the example, they are fabric_vpn1 and fabric_vpn2.

      BGP

      Local Network > BGP AS, Local Network > Shared subnets. In the example, the BGP AS is 65400 and subnets are 10.20.1.1/32 and 172.16.1.0/30.

      Loopback Interface

      Local Network > Loopback interface. In the example, it is F_Hub_loop.

      Firewall Policies

      Overlay > Incoming interface > Policy, Local Network > Shared subnets > Policies. In the example, they are Overlay: Fabric_overlay_0, Fabric_overlay_1, Shared subnets: fabric_vpn_1_in, fabric_vpn_0_out, fabric_vpn_0_in.

    Previous
    Next

    Configuring a root FortiGate using the Fabric Overlay Orchestrator

    Configuring a root FortiGate using the Fabric Overlay Orchestrator

    These steps describe how to run the Fabric Overlay Orchestrator on the root FortiGate.

    To configure a root FortiGate using the Fabric Overlay Orchestrator:
    1. Go to VPN > Fabric Overlay Orchestrator.
    2. Set Status to Enabled. The Role is automatically selected depending on the FortiGate device’s role in the Fortinet Security Fabric. When configuring the root FortiGate, confirm the Role is Hub. The Fabric root must always be the hub. For Policy Creation, select Automatic. Click Next.

    3. For Overlay, select one or more interfaces as the Incoming interface or the underlay link over which the VPN overlay will be built, configure the Pre-shared key, and click Next. The example selects two incoming interfaces:

    4. For Local Network, configure routing and local subnets to share with the VPN network, namely, the BGP AS, loopback address block, and shared interfaces settings:

      Option

      Description

      BGP AS

      Optionally, you can configure the BGP AS number.

      By default, this setting is set to 65400.

      Loopback address block

      Optionally, you can configure the loopback IP address.

      By default, this setting is set to 10.20.1.1/255.255.255.0.

      Shared interfaces

      Select the interface of the local network to share with the VPN network

      Click Next.

    5. For the first Summary step, review the configured settings and click Apply.
    6. For the second Summary step, observe that the following settings have been created as follows:

      Option

      Description

      SD-WAN Zone

      Status > SD-WAN zone. In the example, this is fabric_vpn_sdwan.

      VPN Tunnels

      Overlay > Incoming interface > Phase 1 Interface. In the example, they are fabric_vpn1 and fabric_vpn2.

      BGP

      Local Network > BGP AS, Local Network > Shared subnets. In the example, the BGP AS is 65400 and subnets are 10.20.1.1/32 and 172.16.1.0/30.

      Loopback Interface

      Local Network > Loopback interface. In the example, it is F_Hub_loop.

      Firewall Policies

      Overlay > Incoming interface > Policy, Local Network > Shared subnets > Policies. In the example, they are Overlay: Fabric_overlay_0, Fabric_overlay_1, Shared subnets: fabric_vpn_1_in, fabric_vpn_0_out, fabric_vpn_0_in.

    Previous
    Next