Fortinet black logo

NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Home FortiSASE NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Design concept and considerations

Design concept and considerations

FortiGate NGFW

The FortiGate in the standalone next generation firewall (NGFW) topology is typically used by customers with a single FortiGate deployed on-premise to protect their site or with a single FortiGate deployed on-premise per site when multiple sites are involved. The design goals for deploying a FortiGate NGFW device are to use it for NGFW protection including antivirus, web filtering, intrusion prevention system (IPS), and application control features, and for LAN segmentation. Typically, a FortiGate NGFW has not yet been configured with advanced features such as SD-WAN, zero trust network access, or FortiSASE.

This guide covers the cases when the newly deployed FortiGate NGFW is configured using the FortiOS CLI or GUI, or managed using FortiManager.

This guide assumes a newly deployed FortiGate NGFW, which means that the device does not contain any existing routing or firewall policies to reconfigured.

FortiSASE SPA hub versus SD-WAN hub

This guide describes steps required to configure the FortiGate NGFW as a FortiSASE SPA hub. A FortiSASE SPA hub allows the FortiSASE Security Points of Presence (PoPs) to connect to the hub as spokes. Essentially, the FortiGate becomes an IPsec Auto-Discovery VPN (ADVPN) hub in a hub-and-spoke topology, and for most deployments, this configuration will be sufficient to provide FortiSASE remote users with secure private access to internal resources behind the FortiGate NGFW.

SD-WAN uses ADVPN for its VPN overlay. In some deployments, administrators may prefer configuring their FortiGate NGFW as an SD-WAN hub instead of just as an ADVPN hub. For these deployments, administrators require additional configuration of SD-WAN performance SLAs and SD-WAN rules using the FortiOS CLI or GUI, or use FortiManager to ensure their FortiGate NGFW become fully SD-WAN enabled. These configuration changes to convert an ADVPN hub to an SD-WAN hub are outside of the scope of this guide.

For more details on SD-WAN configuration, then please refer to Performance SLA and SD-WAN Rules sections of the FortiOS Admin Guide.

Fabric Overlay Orchestrator

FortiOS 7.2.4 and above includes a Fabric Overlay Orchestrator feature, which is an easy-to-use GUI wizard that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric. This feature is self-orchestrated since no additional tool or device aside from the FortiGates themselves is required to orchestrate this configuration. An SD-WAN overlay configuration consists of IPsec and BGP configuration settings.

Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and configures the downstream FortiGates, namely, first-level children from the root, as the spokes.

The Fabric Overlay Orchestrator supports configuring an overlay for the following example hub-and-spoke topology using ADVPN and a single hub as depicted below:

The above network topology corresponds to the single datacenter (active-passive gateway) design using the IPsec overlay design of one-to-one overlay mapping per underlay. For further details on these topics, see the SD-WAN Architectures for Enterprises design guide.

In the hub-and-spoke topology above, the datacenter FortiGate (or the Root FortiGate in the Security Fabric) is the hub and the branch FortiGates (or the Downstream FortiGates in the Security Fabric) are the spokes. Each FortiGate has a distinct LAN subnet defined and has a loopback interface, lb1, with an IP address within the 10.20.1.0/24 subnet.

The Fabric Overlay Orchestrator creates loopbacks to act as health check servers that are always up, and which can be accessed by adjacent fabric devices. When configured with the policy creation options of automatic or health check on the hub, the Fabric Overlay Orchestrator configures performance SLA from the hub to the health check servers on 10.20.1.2 and 10.20.1.3 corresponding to Spoke 1 and Spoke 2 FortiGate devices, respectively. Likewise, the Fabric Overlay Orchestrator when run on each spoke creates a performance SLA to the Hub using its loopback address 10.20.1.1.

Instead of using loopbacks, any business-critical applications and resources connected to the LAN of each device can be used as health check servers for performance SLAs.

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next

Design concept and considerations

FortiGate NGFW

The FortiGate in the standalone next generation firewall (NGFW) topology is typically used by customers with a single FortiGate deployed on-premise to protect their site or with a single FortiGate deployed on-premise per site when multiple sites are involved. The design goals for deploying a FortiGate NGFW device are to use it for NGFW protection including antivirus, web filtering, intrusion prevention system (IPS), and application control features, and for LAN segmentation. Typically, a FortiGate NGFW has not yet been configured with advanced features such as SD-WAN, zero trust network access, or FortiSASE.

This guide covers the cases when the newly deployed FortiGate NGFW is configured using the FortiOS CLI or GUI, or managed using FortiManager.

This guide assumes a newly deployed FortiGate NGFW, which means that the device does not contain any existing routing or firewall policies to reconfigured.

FortiSASE SPA hub versus SD-WAN hub

This guide describes steps required to configure the FortiGate NGFW as a FortiSASE SPA hub. A FortiSASE SPA hub allows the FortiSASE Security Points of Presence (PoPs) to connect to the hub as spokes. Essentially, the FortiGate becomes an IPsec Auto-Discovery VPN (ADVPN) hub in a hub-and-spoke topology, and for most deployments, this configuration will be sufficient to provide FortiSASE remote users with secure private access to internal resources behind the FortiGate NGFW.

SD-WAN uses ADVPN for its VPN overlay. In some deployments, administrators may prefer configuring their FortiGate NGFW as an SD-WAN hub instead of just as an ADVPN hub. For these deployments, administrators require additional configuration of SD-WAN performance SLAs and SD-WAN rules using the FortiOS CLI or GUI, or use FortiManager to ensure their FortiGate NGFW become fully SD-WAN enabled. These configuration changes to convert an ADVPN hub to an SD-WAN hub are outside of the scope of this guide.

For more details on SD-WAN configuration, then please refer to Performance SLA and SD-WAN Rules sections of the FortiOS Admin Guide.

Fabric Overlay Orchestrator

FortiOS 7.2.4 and above includes a Fabric Overlay Orchestrator feature, which is an easy-to-use GUI wizard that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric. This feature is self-orchestrated since no additional tool or device aside from the FortiGates themselves is required to orchestrate this configuration. An SD-WAN overlay configuration consists of IPsec and BGP configuration settings.

Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and configures the downstream FortiGates, namely, first-level children from the root, as the spokes.

The Fabric Overlay Orchestrator supports configuring an overlay for the following example hub-and-spoke topology using ADVPN and a single hub as depicted below:

The above network topology corresponds to the single datacenter (active-passive gateway) design using the IPsec overlay design of one-to-one overlay mapping per underlay. For further details on these topics, see the SD-WAN Architectures for Enterprises design guide.

In the hub-and-spoke topology above, the datacenter FortiGate (or the Root FortiGate in the Security Fabric) is the hub and the branch FortiGates (or the Downstream FortiGates in the Security Fabric) are the spokes. Each FortiGate has a distinct LAN subnet defined and has a loopback interface, lb1, with an IP address within the 10.20.1.0/24 subnet.

The Fabric Overlay Orchestrator creates loopbacks to act as health check servers that are always up, and which can be accessed by adjacent fabric devices. When configured with the policy creation options of automatic or health check on the hub, the Fabric Overlay Orchestrator configures performance SLA from the hub to the health check servers on 10.20.1.2 and 10.20.1.3 corresponding to Spoke 1 and Spoke 2 FortiGate devices, respectively. Likewise, the Fabric Overlay Orchestrator when run on each spoke creates a performance SLA to the Hub using its loopback address 10.20.1.1.

Instead of using loopbacks, any business-critical applications and resources connected to the LAN of each device can be used as health check servers for performance SLAs.

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next