Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Configuring network configuration

Configuring network configuration

Before proceeding with configuring hubs or service connections, you must configure common secure private access (SPA) network configuration that all service connections use.

Note

You can use Only one BGP routing design method for all hubs and spokes. They cannot be mixed.

Also, the BGP routing design method cannot be changed once saved. You must delete the service connection(s) and network configuration and reconfigure with a different BGP routing design method.
To configure SPA network configuration:

  1. Go to Network > Secure Private Access and click the Network Configuration tab.

  2. For the Secure Private Access Network Configuration page, for BGP Routing Design, select one of the following:

    • BGP per overlay (default selection)

    • BGP on loopback. FortiSASE automatically selects and grays out BGP Recursive Routing after you selecting this option.

  3. Fill in the rest of the fields with values of the attributes of the FortiGate hub network connection. FortiSASE performs input validation and notifies you of any invalid values. See the following table:

    Network attributes

    Description

    Example
    BGP Routing Design

    FortiSASE supports these main routing design methods:

    • BGP per overlay (default)

    • BGP on loopback

    You can use only a single BGP routing design method for all hubs and spokes. You cannot mix them.

    See Routing design methods.

    		 BGP per overlay

    BGP router ID subnet

    For BGP per overlay, available/unused subnet that can be used to assign loopback interface IP addresses used for BGP router IDs parameter only on the FortiSASE security PoPs. /28 is the minimum subnet size.

    For BGP on loopback, you must configure this subnet as a neighbor range in the hub BGP settings.

    10.20.1.0/24

    Autonomous system number (ASN)

    BGP autonomous system (AS) number of your hubs. Typically, this should be the same on both hubs.

    65400

    BGP recursive routing

    Enabling the BGP recursive routing setting allows for interhub connectivity and redundancy to networks behind the active hub if each hub has a physical connection to the others for cases when connectivity between a FortiSASE security PoP and the active hub fails.

    For example, consider that this BGP configuration setting enabled and a FortiSASE security PoP’s connectivity with hub 1 goes down. To ensure the security PoP can reach a network behind hub 1, it would route traffic to hub 2 first, then route it to hub 1 via its interhub connection, followed by routing the traffic to the desired destination network behind hub 1.

    Enabled

    Hub selection method

    Method by which FortiSASE selects hub. By default, FortiSASE uses hub health and priority:

    • Hub health and priority: periodically obtain jitter, latency, and packet loss measurements for each hub via the health check IP address. FortiSASE selects the highest priority hub within each PoP that meets lowest cost (SLA) requirements. A hub can be assigned a different priority level in different PoPs.
    • BGP MED: BGP multi-exit discriminator (MED) is an attribute that an autonomous system advertising routes to another peer sets. FortiSASE learns MED from the configured hubs. See BGP multi-exit discriminator.

    Hub health and priority

    Health check IP address

    IP address of a server behind the hub that should be used to set up the SD-WAN performance SLA rule.

    On the hub, you can configure a loopback interface for health check purposes and specify the IP address of that loopback interface for this parameter. Since there is only a single health check IP address, you can configure a loopback on all hubs with the same IP address. Also, in the hub configuration, you will need to create a policy to allow traffic from the IPsec tunnel to this loopback interface.

    10.30.100.1
    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.
    Note When using the BGP MED option, user-defined hub priorities are not used because the SD-WAN SLA rule is disabled in this case.
  4. Click Save.

Previous
Next

Configuring network configuration

Before proceeding with configuring hubs or service connections, you must configure common secure private access (SPA) network configuration that all service connections use.

Note

You can use Only one BGP routing design method for all hubs and spokes. They cannot be mixed.

Also, the BGP routing design method cannot be changed once saved. You must delete the service connection(s) and network configuration and reconfigure with a different BGP routing design method.
To configure SPA network configuration:

  1. Go to Network > Secure Private Access and click the Network Configuration tab.

  2. For the Secure Private Access Network Configuration page, for BGP Routing Design, select one of the following:

    • BGP per overlay (default selection)

    • BGP on loopback. FortiSASE automatically selects and grays out BGP Recursive Routing after you selecting this option.

  3. Fill in the rest of the fields with values of the attributes of the FortiGate hub network connection. FortiSASE performs input validation and notifies you of any invalid values. See the following table:

    Network attributes

    Description

    Example
    BGP Routing Design

    FortiSASE supports these main routing design methods:

    • BGP per overlay (default)

    • BGP on loopback

    You can use only a single BGP routing design method for all hubs and spokes. You cannot mix them.

    See Routing design methods.

    		 BGP per overlay

    BGP router ID subnet

    For BGP per overlay, available/unused subnet that can be used to assign loopback interface IP addresses used for BGP router IDs parameter only on the FortiSASE security PoPs. /28 is the minimum subnet size.

    For BGP on loopback, you must configure this subnet as a neighbor range in the hub BGP settings.

    10.20.1.0/24

    Autonomous system number (ASN)

    BGP autonomous system (AS) number of your hubs. Typically, this should be the same on both hubs.

    65400

    BGP recursive routing

    Enabling the BGP recursive routing setting allows for interhub connectivity and redundancy to networks behind the active hub if each hub has a physical connection to the others for cases when connectivity between a FortiSASE security PoP and the active hub fails.

    For example, consider that this BGP configuration setting enabled and a FortiSASE security PoP’s connectivity with hub 1 goes down. To ensure the security PoP can reach a network behind hub 1, it would route traffic to hub 2 first, then route it to hub 1 via its interhub connection, followed by routing the traffic to the desired destination network behind hub 1.

    Enabled

    Hub selection method

    Method by which FortiSASE selects hub. By default, FortiSASE uses hub health and priority:

    • Hub health and priority: periodically obtain jitter, latency, and packet loss measurements for each hub via the health check IP address. FortiSASE selects the highest priority hub within each PoP that meets lowest cost (SLA) requirements. A hub can be assigned a different priority level in different PoPs.
    • BGP MED: BGP multi-exit discriminator (MED) is an attribute that an autonomous system advertising routes to another peer sets. FortiSASE learns MED from the configured hubs. See BGP multi-exit discriminator.

    Hub health and priority

    Health check IP address

    IP address of a server behind the hub that should be used to set up the SD-WAN performance SLA rule.

    On the hub, you can configure a loopback interface for health check purposes and specify the IP address of that loopback interface for this parameter. Since there is only a single health check IP address, you can configure a loopback on all hubs with the same IP address. Also, in the hub configuration, you will need to create a policy to allow traffic from the IPsec tunnel to this loopback interface.

    10.30.100.1
    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.
    Note When using the BGP MED option, user-defined hub priorities are not used because the SD-WAN SLA rule is disabled in this case.
  4. Click Save.

Previous
Next