Configuring a new service connection

You can create a new service connection (hub) using one of the following BGP routing design methods:

• BGP per overlay (default)
• BGP on loopback

The corresponding BGP routing design method was configured in the Network Connection tab.

After you create a service connection, you can update its authentication method using Update Authentication Method, namely, to switch from using a preshared key (PSK) to a certificate or vice-versa. You can also use this option to update the existing authentication method's settings, such as updating the PSK or updating the PKI user or certificate.

To configure service connections or hubs for BGP per overlay:

1. Go to Network > Secure Private Access.
2. On the Service Connection tab, click Create.

3. Fill in the rest of the fields with the attributes of the FortiGate hub or service connection. FortiSASE performs input validation and notifies you of any invalid values.

   Network attributes	Description	Example
   Name	Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).	Datacenter 1
   Remote gateway	IPsec VPN remote gateway (public IP address) for the hub.	1.2.3.4
   Authentication method	Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate.	Pre-shared key
   Pre-shared key (PSK)	When Authentication Method is configured as Pre-shared key, define the hub PSK.	mysecretkey
   PKI User	When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by FortiSASE to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.	mypeer
   Certificate	When Authentication Method is configured as Certificate, select the certificate to be presented by the FortiSASE security PoP. You must import this certificate into FortiSASE via System > Certificates as a Local Certificate.	Fortinet_Factory
   BGP peer IP address	On the hub, the IP address used as the BGP peer ID	10.10.10.253
   Network overlay ID	Define a unique network ID for each hub. If a active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.	2

   Because the following IP ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them: 10.8.0.0/16 10.16.0.0/16 100.64.0.0/10 10.252.0.0/16 10.253.0.0/16

   The BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

4. Click Save.

5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology. The following shows the GUI after configuring two service connections:

   

For FortiSASE security points of presence (PoP), the SD-WAN performance SLA (health check) setting has the following parameters: Latency threshold: 120 ms Jitter threshold: 55 ms Packet loss threshold: 1% Also, for FortiSASE security PoPs, the SD-WAN rule is configured with the lowest cost (SLA) mode, where the security PoPs choose the lowest cost link (highest priority hub) that satisfies the SLA to forward traffic.

In the SD-WAN rule used by each FortiSASE security PoP, the interface preference order matters when selecting links of equal cost (equal priority hubs). Therefore, to define interface preference order, you must configure service connections in FortiSASE in the desired order of preference from the most preferred hub to the least preferred hub.

To configure service connections or hubs for BGP on loopback:

1. Go to Network > Secure Private Access.
2. On the Service Connection tab, click Create.
3. For the Create a New Secure Private Access Service Connection step, fill in the fields with the attributes of the FortiGate hub or service connection. FortiSASE performs input validation and notifies you of any invalid values.

   Network attributes	Description	Example
   Name	Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).	Datacenter 1
   Remote gateway	IPsec VPN remote gateway (public IP address) for the hub.	1.2.3.4
   Authentication method	Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate.	Pre-shared key
   Pre-shared key (PSK)	When Authentication Method is configured as Pre-shared key, define the hub PSK.	mysecretkey
   PKI User	When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by FortiSASE to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.	mypeer
   Certificate	When Authentication Method is configured as Certificate, select the certificate to be presented by the FortiSASE security PoP. You must import this certificate into FortiSASE via System > Certificates as a Local Certificate.	Fortinet_Factory
   ADVPN Route Tag	For BGP on looopback only, ADVPN route tag number for spoke to tag incoming routes advertised from a hub. See Enhanced BGP next hop updates and ADVPN shortcut override.	1
   BGP peer IP address	On the hub, the IP address used as the BGP peer ID	10.10.10.253
   Network overlay ID	Define a unique network ID for each hub. If a active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.	2

   Because the following IP ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them: 10.8.0.0/16 10.16.0.0/16 100.64.0.0/10 10.252.0.0/16 10.253.0.0/16

   The BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

4. Click Save.

5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology.

To update the authentication method settings for a service connection:

1. Go to Network > Secure Private Access.

2. On the Service Connection tab, click Update Authentication Method.

3. Select the Authentication Method and configure the corresponding parameter(s):

   1. New Pre-shared Key when Pre-shared Key is selected.

   2. PKI User and Certificate when Certificate is selected.

4. Click OK. Once FortiSASE successfully updates the authentication method for the service connection, it notifies you with the message Authentication method updated successfully.