Fortinet white logo
Fortinet white logo

SPA with a FortiGate SD-WAN Deployment Guide

Deployment overview

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub or involving a FortiGate SD-WAN hub are use cases that allow broader and seamless access to both privately hosted TCP- and UDP-based applications.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to 12 datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

A typical topology for deploying this example design is as follows:

FortiSASE security PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel.

The SPA use cases with FortiGate hubs allow traffic flow in the following directions:

From...

To...

Remote VPN users

FortiGate hubs (or spokes connected to hubs)

FortiGate hubs (or spokes connected to hubs)

Remote VPN users

FortiSASE supports these main routing design methods:

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For the FortiGate NGFW SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub. For deployment details for this use case, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide (FortiOS 7.0.7+) instead of this guide.

For the FortiGate NGFW SPA use case running FortiOS 7.2.4 and above, you can use the Fabric Overlay Orchestrator feature to convert the NGFW to a standalone IPsec VPN hub. For deployment details, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion using Fabric Overlay Orchestrator Deployment Guide (FortiOS 7.2.4+, 7.4.0+).

For a list of product prerequisites, see SPA using a FortiGate SD-WAN hub.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

For comments and feedback about this document, visit the FortiSASE Integration with Existing SD-WAN Hub Deployment on community.fortinet.com.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub or involving a FortiGate SD-WAN hub are use cases that allow broader and seamless access to both privately hosted TCP- and UDP-based applications.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to 12 datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

A typical topology for deploying this example design is as follows:

FortiSASE security PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel.

The SPA use cases with FortiGate hubs allow traffic flow in the following directions:

From...

To...

Remote VPN users

FortiGate hubs (or spokes connected to hubs)

FortiGate hubs (or spokes connected to hubs)

Remote VPN users

FortiSASE supports these main routing design methods:

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For the FortiGate NGFW SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub. For deployment details for this use case, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide (FortiOS 7.0.7+) instead of this guide.

For the FortiGate NGFW SPA use case running FortiOS 7.2.4 and above, you can use the Fabric Overlay Orchestrator feature to convert the NGFW to a standalone IPsec VPN hub. For deployment details, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion using Fabric Overlay Orchestrator Deployment Guide (FortiOS 7.2.4+, 7.4.0+).

For a list of product prerequisites, see SPA using a FortiGate SD-WAN hub.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

For comments and feedback about this document, visit the FortiSASE Integration with Existing SD-WAN Hub Deployment on community.fortinet.com.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.