Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

SPA using NGFW and Fabric Overlay Orchestrator

SPA using NGFW and Fabric Overlay Orchestrator

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub or involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. Starting in FortiOS 7.2.4, you can accomplish this using Fabric Overlay Orchestrator. After configuring FortiSASE to communicate with this hub, the FortiSASE security points-of-presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

For a list of product prerequisites, see SPA using a FortiSASE SPA hub with Fabric overlay orchestrator.

A typical topology for deploying this example design is as follows:

FortiSASE PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

Previous
Next

SPA using NGFW and Fabric Overlay Orchestrator

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub or involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. Starting in FortiOS 7.2.4, you can accomplish this using Fabric Overlay Orchestrator. After configuring FortiSASE to communicate with this hub, the FortiSASE security points-of-presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

For a list of product prerequisites, see SPA using a FortiSASE SPA hub with Fabric overlay orchestrator.

A typical topology for deploying this example design is as follows:

FortiSASE PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

Previous
Next