Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Configuring SPA to the FortiGate SPA hub in FortiSASE Private Access

    Configuring SPA to the FortiGate SPA hub in FortiSASE Private Access

    Note Before configuring the Secure Private Access settings in the FortiSASE portal, to ensure proper secure private access (SPA) functionality, you must ensure that the FortiSASE SPA hub conforms to details mentioned in all previous sections of this guide up until this point, especially those sections covering Design concept and considerations, Product prerequisites, and Converting FortiGate NGFW to a FortiSASE SPA hub using FortiOS CLI or GUI.

    At this point, the FortiGate NGFW has been converted to a FortiSASE SPA Hub. Therefore, in the steps that follow, the FortiGate NGFW will now be referred to as the FortiSASE SPA Hub.

    To allow FortiSASE remote users with secure private access (SPA) to resources behind your FortiGate SD-WAN hub network, you can configure FortiSASE security PoPs as spokes in your hub-and-spoke network using the Secure Private Access page.

    Configuration workflow

    To configure SPA service connections (hubs), you must follow this configuration workflow in Network > Secure Private Access:

    1. Click the Network Configuration tab at the top of the page and configure the common network configuration settings. See Configuring network configuration.

    2. Click the Service Connections tab at the top of the page, click Create, and configure a new service connection (hub). See Configuring a new service connection.

    Note You cannot configure a service connection or hub without first configuring Network Configuration settings.

    BGP routing design

    FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

    BGP routing design overview

    Example hub configuration for dual hub architecture

    Example spoke configuration for dual hub architecture

    BGP per overlay (default)

    SD-WAN dual hub with VPN overlay and BGP routing - HUBs

    SD-WAN dual hub with VPN overlay and BGP routing - Branches

    BGP on loopback

    BGP on loopback (Dual-Hub region) - Hub

    BGP on loopback (Dual-Hub region) - Spoke

    The example network topology uses the following settings configured in FortiSASE:

    Configuration setting Value used in example network topology
    Network Configuration settings
    BGP routing design BGP per overlay
    BGP router ID subnet 10.20.1.0/28
    Autonomous system number (ASN) 65400
    BGP recursive routing Enabled
    Hub selection method Hub health and priority
    Health check IP address 10.30.100.1
    Service Connection settings
    Name Datacenter 1
    Remote gateway 1.2.3.4
    Authentication method Pre-shared key
    Pre-shared key mysecretkey
    BGP peer IP address 10.20.1.253
    Network Overlay ID 2
    Previous
    Next

    Configuring SPA to the FortiGate SPA hub in FortiSASE Private Access

    Configuring SPA to the FortiGate SPA hub in FortiSASE Private Access

    Note Before configuring the Secure Private Access settings in the FortiSASE portal, to ensure proper secure private access (SPA) functionality, you must ensure that the FortiSASE SPA hub conforms to details mentioned in all previous sections of this guide up until this point, especially those sections covering Design concept and considerations, Product prerequisites, and Converting FortiGate NGFW to a FortiSASE SPA hub using FortiOS CLI or GUI.

    At this point, the FortiGate NGFW has been converted to a FortiSASE SPA Hub. Therefore, in the steps that follow, the FortiGate NGFW will now be referred to as the FortiSASE SPA Hub.

    To allow FortiSASE remote users with secure private access (SPA) to resources behind your FortiGate SD-WAN hub network, you can configure FortiSASE security PoPs as spokes in your hub-and-spoke network using the Secure Private Access page.

    Configuration workflow

    To configure SPA service connections (hubs), you must follow this configuration workflow in Network > Secure Private Access:

    1. Click the Network Configuration tab at the top of the page and configure the common network configuration settings. See Configuring network configuration.

    2. Click the Service Connections tab at the top of the page, click Create, and configure a new service connection (hub). See Configuring a new service connection.

    Note You cannot configure a service connection or hub without first configuring Network Configuration settings.

    BGP routing design

    FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

    BGP routing design overview

    Example hub configuration for dual hub architecture

    Example spoke configuration for dual hub architecture

    BGP per overlay (default)

    SD-WAN dual hub with VPN overlay and BGP routing - HUBs

    SD-WAN dual hub with VPN overlay and BGP routing - Branches

    BGP on loopback

    BGP on loopback (Dual-Hub region) - Hub

    BGP on loopback (Dual-Hub region) - Spoke

    The example network topology uses the following settings configured in FortiSASE:

    Configuration setting Value used in example network topology
    Network Configuration settings
    BGP routing design BGP per overlay
    BGP router ID subnet 10.20.1.0/28
    Autonomous system number (ASN) 65400
    BGP recursive routing Enabled
    Hub selection method Hub health and priority
    Health check IP address 10.30.100.1
    Service Connection settings
    Name Datacenter 1
    Remote gateway 1.2.3.4
    Authentication method Pre-shared key
    Pre-shared key mysecretkey
    BGP peer IP address 10.20.1.253
    Network Overlay ID 2
    Previous
    Next