Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Configuring network configuration

    Configuring network configuration

    Before proceeding with configuring hubs or service connections, you must configure common secure private access (SPA) network configuration that all service connections use.

    BGP routing design

    FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

    BGP routing design overview

    Example hub configuration for dual hub architecture

    Example spoke configuration for dual hub architecture

    BGP per overlay (default)

    SD-WAN dual hub with VPN overlay and BGP routing - HUBs

    SD-WAN dual hub with VPN overlay and BGP routing - Branches

    BGP on loopback

    BGP on loopback (Dual-Hub region) - Hub

    BGP on loopback (Dual-Hub region) - Spoke

    Note

    You can use Only one BGP routing design method for all hubs and spokes. They cannot be mixed.

    Also, the BGP routing design method cannot be changed once saved. You must delete the service connection(s) and network configuration and reconfigure with a different BGP routing design method.
    To configure SPA network configuration:

    1. Go to Network > Secure Private Access and click the Network Configuration tab.

    2. For the Secure Private Access Network Configuration page, for BGP Routing Design, select one of the following:

      • BGP per overlay (default selection)

      • BGP on loopback. FortiSASE automatically selects and grays out BGP Recursive Routing after you selecting this option.

    3. Fill in the rest of the fields with values of the attributes of the FortiGate hub network connection. FortiSASE performs input validation and notifies you of any invalid values. See the following table:

      Network attributes

      Description

      Example
      BGP Routing Design

      FortiSASE supports these main routing design methods:

      • BGP per overlay (default)

      • BGP on loopback

      You can use only a single BGP routing design method for all hubs and spokes. You cannot mix them.

      See Routing design methods.

      		 BGP per overlay

      BGP router ID subnet

      For BGP per overlay, available/unused subnet that can be used to assign loopback interface IP addresses used for BGP router IDs parameter only on the FortiSASE security PoPs. /28 is the minimum subnet size.

      Typically, this BGP router ID subnet is a subnet within the overall BGP loopback summary range that is currently unused. For example, if the BGP loopback summary range is 10.20.1.0/24 then you can choose to configure 10.20.1.0/28 as the BGP router ID subnet if it is unused.

      For BGP on loopback, you must configure this subnet as a neighbor range in the hub BGP settings.

      10.20.1.0/28

      Autonomous system number (ASN)

      BGP autonomous system (AS) number of your hubs. Typically, this should be the same on both hubs.

      65400

      BGP recursive routing

      Enabling the BGP recursive routing setting allows for interhub connectivity and redundancy to networks behind the active hub if each hub has a physical connection to the others for cases when connectivity between a FortiSASE security PoP and the active hub fails.

      For example, consider that this BGP configuration setting enabled and a FortiSASE security PoP’s connectivity with hub 1 goes down. To ensure the security PoP can reach a network behind hub 1, it would route traffic to hub 2 first, then route it to hub 1 via its interhub connection, followed by routing the traffic to the desired destination network behind hub 1.

      Enabled

      Hub selection method

      Method by which FortiSASE selects hub. By default, FortiSASE uses hub health and priority:

      • Hub health and priority: periodically obtain jitter, latency, and packet loss measurements for each hub via the health check IP address. FortiSASE selects the highest priority hub within each PoP that meets lowest cost (SLA) requirements. A hub can be assigned a different priority level in different PoPs.
      • BGP MED: BGP multi-exit discriminator (MED) is an attribute that an autonomous system advertising routes to another peer sets. FortiSASE learns MED from the configured hubs. See BGP multi-exit discriminator.

      Hub health and priority

      Health check IP address

      IP address of a server behind the hub that should be used to set up the SD-WAN performance SLA rule.

      On the hub, you can configure a loopback interface for health check purposes and specify the IP address of that loopback interface for this parameter. Since there is only a single health check IP address, you can configure a loopback on all hubs with the same IP address. Also, in the hub configuration, you will need to create a policy to allow traffic from the IPsec tunnel to this loopback interface.

      10.30.100.1
      Note

      As some IP addresses ranges are reserved for FortiSASE internal usage, note the network restrictions in Network restrictions.
      Note

      For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

      For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.
      Note When using the BGP MED option, user-defined hub priorities are not used because the SD-WAN SLA rule is disabled in this case.
    4. Click Save.

    Previous
    Next

    Configuring network configuration

    Configuring network configuration

    Before proceeding with configuring hubs or service connections, you must configure common secure private access (SPA) network configuration that all service connections use.

    BGP routing design

    FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

    BGP routing design overview

    Example hub configuration for dual hub architecture

    Example spoke configuration for dual hub architecture

    BGP per overlay (default)

    SD-WAN dual hub with VPN overlay and BGP routing - HUBs

    SD-WAN dual hub with VPN overlay and BGP routing - Branches

    BGP on loopback

    BGP on loopback (Dual-Hub region) - Hub

    BGP on loopback (Dual-Hub region) - Spoke

    Note

    You can use Only one BGP routing design method for all hubs and spokes. They cannot be mixed.

    Also, the BGP routing design method cannot be changed once saved. You must delete the service connection(s) and network configuration and reconfigure with a different BGP routing design method.
    To configure SPA network configuration:

    1. Go to Network > Secure Private Access and click the Network Configuration tab.

    2. For the Secure Private Access Network Configuration page, for BGP Routing Design, select one of the following:

      • BGP per overlay (default selection)

      • BGP on loopback. FortiSASE automatically selects and grays out BGP Recursive Routing after you selecting this option.

    3. Fill in the rest of the fields with values of the attributes of the FortiGate hub network connection. FortiSASE performs input validation and notifies you of any invalid values. See the following table:

      Network attributes

      Description

      Example
      BGP Routing Design

      FortiSASE supports these main routing design methods:

      • BGP per overlay (default)

      • BGP on loopback

      You can use only a single BGP routing design method for all hubs and spokes. You cannot mix them.

      See Routing design methods.

      		 BGP per overlay

      BGP router ID subnet

      For BGP per overlay, available/unused subnet that can be used to assign loopback interface IP addresses used for BGP router IDs parameter only on the FortiSASE security PoPs. /28 is the minimum subnet size.

      Typically, this BGP router ID subnet is a subnet within the overall BGP loopback summary range that is currently unused. For example, if the BGP loopback summary range is 10.20.1.0/24 then you can choose to configure 10.20.1.0/28 as the BGP router ID subnet if it is unused.

      For BGP on loopback, you must configure this subnet as a neighbor range in the hub BGP settings.

      10.20.1.0/28

      Autonomous system number (ASN)

      BGP autonomous system (AS) number of your hubs. Typically, this should be the same on both hubs.

      65400

      BGP recursive routing

      Enabling the BGP recursive routing setting allows for interhub connectivity and redundancy to networks behind the active hub if each hub has a physical connection to the others for cases when connectivity between a FortiSASE security PoP and the active hub fails.

      For example, consider that this BGP configuration setting enabled and a FortiSASE security PoP’s connectivity with hub 1 goes down. To ensure the security PoP can reach a network behind hub 1, it would route traffic to hub 2 first, then route it to hub 1 via its interhub connection, followed by routing the traffic to the desired destination network behind hub 1.

      Enabled

      Hub selection method

      Method by which FortiSASE selects hub. By default, FortiSASE uses hub health and priority:

      • Hub health and priority: periodically obtain jitter, latency, and packet loss measurements for each hub via the health check IP address. FortiSASE selects the highest priority hub within each PoP that meets lowest cost (SLA) requirements. A hub can be assigned a different priority level in different PoPs.
      • BGP MED: BGP multi-exit discriminator (MED) is an attribute that an autonomous system advertising routes to another peer sets. FortiSASE learns MED from the configured hubs. See BGP multi-exit discriminator.

      Hub health and priority

      Health check IP address

      IP address of a server behind the hub that should be used to set up the SD-WAN performance SLA rule.

      On the hub, you can configure a loopback interface for health check purposes and specify the IP address of that loopback interface for this parameter. Since there is only a single health check IP address, you can configure a loopback on all hubs with the same IP address. Also, in the hub configuration, you will need to create a policy to allow traffic from the IPsec tunnel to this loopback interface.

      10.30.100.1
      Note

      As some IP addresses ranges are reserved for FortiSASE internal usage, note the network restrictions in Network restrictions.
      Note

      For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

      For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.
      Note When using the BGP MED option, user-defined hub priorities are not used because the SD-WAN SLA rule is disabled in this case.
    4. Click Save.

    Previous
    Next