Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access
Before configuring the Secure Private Access settings in the FortiSASE portal, to ensure proper secure private access (SPA) functionality, you must ensure that the FortiSASE SPA hub conforms to details mentioned in all previous sections of this guide up until this point, especially those sections covering Design concept and considerations, Product prerequisites, and Reviewing configuration settings of an existing FortiGate SD-WAN hub deployment previously configured using FortiManager. |
To allow FortiSASE remote users with SPA to resources behind your FortiGate SD-WAN hub network, you can configure FortiSASE security points of presence as spokes in your hub-and-spoke network using the Secure Private Access page.
Configuration workflow
To configure SPA service connections (hubs), you must follow this configuration workflow in Network > Secure Private Access:
-
Click the Network Configuration tab at the top of the page and configure the common network configuration settings. See Configuring network configuration.
-
Click the Service Connections tab at the top of the page, click Create, and configure a new service connection (hub). See Configuring a new service connection.
You cannot configure a service connection or hub without first configuring Network Configuration settings. |
BGP routing design
FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:
BGP routing design overview |
Example hub configuration for dual hub architecture |
Example spoke configuration for dual hub architecture |
---|---|---|
BGP per overlay (default) |
||
The example network topology uses the following settings configured in FortiSASE:
Configuration setting | Value used in example network topology |
---|---|
Network Configuration settings | |
BGP routing design | BGP per overlay |
BGP router ID subnet | 10.20.1.0/28 |
Autonomous system number (ASN) | 65400 |
BGP recursive routing | Enabled |
Hub selection method | Hub health and priority |
Health check IP address | 10.30.100.1 |
Service Connection settings | |
Name | Datacenter 1 |
Remote gateway | 1.2.3.4 |
Authentication method | Pre-shared key |
Pre-shared key | mysecretkey |
BGP peer IP address | 10.20.1.253 |
Network Overlay ID | 2 |