Fortinet black logo

SPA with a FortiGate SD-WAN Deployment Guide

Home FortiSASE SPA with a FortiGate SD-WAN Deployment Guide

Design concept and considerations

Copy Link
Copy Doc ID 8c54df13-c519-11ee-8c42-fa163e15d75b:347150
Download PDF

Design concept and considerations

FortiGate SD-WAN network topology

FortiSASE supports secure private access to the following SD-WAN topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to four datacenters/hubs

The following topology diagram depicts an SD-WAN with four datacenters/hubs:

In the example topology, the SD-WAN hub-and-spoke network administrator configures the following settings outside of the FortiSASE network. According to SD-WAN best practices, administrators configure these settings using FortiManager:

  • Hub 1, hub 2, hub 3, hub 4, and spoke 1 WAN1 IP addresses

  • IPsec VPN settings including network overlay for hub 1, hub 2, hub 3, hub 4, and spoke 1

  • BGP settings including BGP router IDs of hub 1, hub 2, hub 3, hub 4, and spoke 1

The following table maps the aforementioned settings configured by FortiManager with the settings that you configure in FortiSASE using the Secure Private Access page:

Network Setting in FortiManager

Network Setting in FortiSASE Secure Private Access Page

Hub 1 WAN IP Address

Remote Gateway for Hub 1

Hub 2 WAN IP Address

Remote Gateway for Hub 2

Hub 3 WAN IP Address

Remote Gateway for Hub 3

Hub 4 WAN IP Address

Remote Gateway for Hub 4

Hub 1 BGP Router ID

BGP Peer ID for Hub 1

Hub 2 BGP Router ID

BGP Peer ID for Hub 2

Hub 3 BGP Router ID

BGP Peer ID for Hub 3

Hub 4 BGP Router ID

BGP Peer ID for Hub 4

Hub 1 Host IP address (typically) or any other IP address of a host locally connected to Hub 1

Health Check IP

In addition, the administrator should configure these host IP addresses:

  • Hub 1 Host IP address
  • Hub 2 Host IP address
  • Hub 3 Host IP address
  • Hub 4 Host IP address
  • Spoke 1 Host IP address

You can configure the hub 1 host IP address or any other host locally connected to hub 1 later to set up the health check for the SD-WAN performance SLA rule that FortiSASE uses.

FortiSASE dynamically generates the remaining settings for the FortiSASE security points of presence (PoPs), namely, the BGP router ID, using the parameters specified in the FortiSASE Secure Private Access GUI. On the FortiSASE security PoPs, the IPsec VPN interface IP addresses to the primary hub and the IPsec VPN interface IP addresses to the redundant hub are dynamically assigned using the IPsec VPN mode-cfg feature enabled on the hubs.

Tooltip

For solution and design overviews of the single datacenter for enterprise and multiple datacenter for enterprise solutions, see the SD-WAN 4-D documentation:

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next

Design concept and considerations

FortiGate SD-WAN network topology

FortiSASE supports secure private access to the following SD-WAN topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to four datacenters/hubs

The following topology diagram depicts an SD-WAN with four datacenters/hubs:

In the example topology, the SD-WAN hub-and-spoke network administrator configures the following settings outside of the FortiSASE network. According to SD-WAN best practices, administrators configure these settings using FortiManager:

  • Hub 1, hub 2, hub 3, hub 4, and spoke 1 WAN1 IP addresses

  • IPsec VPN settings including network overlay for hub 1, hub 2, hub 3, hub 4, and spoke 1

  • BGP settings including BGP router IDs of hub 1, hub 2, hub 3, hub 4, and spoke 1

The following table maps the aforementioned settings configured by FortiManager with the settings that you configure in FortiSASE using the Secure Private Access page:

Network Setting in FortiManager

Network Setting in FortiSASE Secure Private Access Page

Hub 1 WAN IP Address

Remote Gateway for Hub 1

Hub 2 WAN IP Address

Remote Gateway for Hub 2

Hub 3 WAN IP Address

Remote Gateway for Hub 3

Hub 4 WAN IP Address

Remote Gateway for Hub 4

Hub 1 BGP Router ID

BGP Peer ID for Hub 1

Hub 2 BGP Router ID

BGP Peer ID for Hub 2

Hub 3 BGP Router ID

BGP Peer ID for Hub 3

Hub 4 BGP Router ID

BGP Peer ID for Hub 4

Hub 1 Host IP address (typically) or any other IP address of a host locally connected to Hub 1

Health Check IP

In addition, the administrator should configure these host IP addresses:

  • Hub 1 Host IP address
  • Hub 2 Host IP address
  • Hub 3 Host IP address
  • Hub 4 Host IP address
  • Spoke 1 Host IP address

You can configure the hub 1 host IP address or any other host locally connected to hub 1 later to set up the health check for the SD-WAN performance SLA rule that FortiSASE uses.

FortiSASE dynamically generates the remaining settings for the FortiSASE security points of presence (PoPs), namely, the BGP router ID, using the parameters specified in the FortiSASE Secure Private Access GUI. On the FortiSASE security PoPs, the IPsec VPN interface IP addresses to the primary hub and the IPsec VPN interface IP addresses to the redundant hub are dynamically assigned using the IPsec VPN mode-cfg feature enabled on the hubs.

Tooltip

For solution and design overviews of the single datacenter for enterprise and multiple datacenter for enterprise solutions, see the SD-WAN 4-D documentation:

Network restrictions

Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

  • 10.252.0.0/16
  • 10.253.0.0/16
  • 100.65.0.0/16
Previous
Next