Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Design concept and considerations

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:347150
Download PDF

Design concept and considerations

FortiGate NGFW

The FortiGate in the standalone next generation firewall (NGFW) topology is typically used by customers with a single FortiGate deployed on-premise to protect their site or with a single FortiGate deployed on-premise per site when multiple sites are involved. The design goals for deploying a FortiGate NGFW device are to use it for NGFW protection including antivirus, web filtering, intrusion prevention system (IPS), and application control features, and for LAN segmentation. Typically, a FortiGate NGFW has not yet been configured with advanced features such as SD-WAN, ZTNA, or FortiSASE.

This guide covers the cases when the newly deployed FortiGate NGFW is either configured using the FortiOS CLI or GUI, or managed using FortiManager.

This guide assumes a newly deployed FortiGate NGFW, which means that the device does not contain any existing routing or firewall policies to reconfigured.

FortiSASE SPA hub versus SD-WAN hub

This guide describes steps required to configure the FortiGate NGFW as a FortiSASE SPA hub. A FortiSASE SPA hub allows the FortiSASE Security Points of Presence (PoPs) to connect to the hub as spokes. Essentially, the FortiGate becomes an IPsec Auto-Discovery VPN (ADVPN) hub in a hub-and-spoke topology, and for most deployments, this configuration will be sufficient to provide FortiSASE remote users with secure private access to internal resources behind the FortiGate NGFW.

SD-WAN uses ADVPN for its VPN overlay. In some deployments, administrators may prefer configuring their FortiGate NGFW as an SD-WAN hub instead of just as an ADVPN hub. For these deployments, administrators require additional configuration of SD-WAN performance SLAs and SD-WAN rules using the FortiOS CLI or GUI, or use FortiManager to ensure their FortiGate NGFW become fully SD-WAN enabled. These configuration changes to convert an ADVPN hub to an SD-WAN hub are outside of the scope of this guide.

For more details on SD-WAN configuration, then please refer to Performance SLA and SD-WAN Rules sections of the FortiOS Admin Guide. For more details on SD-WAN configuration using FortiManager, then please refer to SD-WAN Single Datacenter Enterprise Deployment Guide.

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next

Design concept and considerations

FortiGate NGFW

The FortiGate in the standalone next generation firewall (NGFW) topology is typically used by customers with a single FortiGate deployed on-premise to protect their site or with a single FortiGate deployed on-premise per site when multiple sites are involved. The design goals for deploying a FortiGate NGFW device are to use it for NGFW protection including antivirus, web filtering, intrusion prevention system (IPS), and application control features, and for LAN segmentation. Typically, a FortiGate NGFW has not yet been configured with advanced features such as SD-WAN, ZTNA, or FortiSASE.

This guide covers the cases when the newly deployed FortiGate NGFW is either configured using the FortiOS CLI or GUI, or managed using FortiManager.

This guide assumes a newly deployed FortiGate NGFW, which means that the device does not contain any existing routing or firewall policies to reconfigured.

FortiSASE SPA hub versus SD-WAN hub

This guide describes steps required to configure the FortiGate NGFW as a FortiSASE SPA hub. A FortiSASE SPA hub allows the FortiSASE Security Points of Presence (PoPs) to connect to the hub as spokes. Essentially, the FortiGate becomes an IPsec Auto-Discovery VPN (ADVPN) hub in a hub-and-spoke topology, and for most deployments, this configuration will be sufficient to provide FortiSASE remote users with secure private access to internal resources behind the FortiGate NGFW.

SD-WAN uses ADVPN for its VPN overlay. In some deployments, administrators may prefer configuring their FortiGate NGFW as an SD-WAN hub instead of just as an ADVPN hub. For these deployments, administrators require additional configuration of SD-WAN performance SLAs and SD-WAN rules using the FortiOS CLI or GUI, or use FortiManager to ensure their FortiGate NGFW become fully SD-WAN enabled. These configuration changes to convert an ADVPN hub to an SD-WAN hub are outside of the scope of this guide.

For more details on SD-WAN configuration, then please refer to Performance SLA and SD-WAN Rules sections of the FortiOS Admin Guide. For more details on SD-WAN configuration using FortiManager, then please refer to SD-WAN Single Datacenter Enterprise Deployment Guide.

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next