Fortinet white logo
Fortinet white logo

SPA with a FortiGate SD-WAN Deployment Guide

Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access

Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access

Note Before configuring the Secure Private Access settings in the FortiSASE portal, to ensure proper secure private access (SPA) functionality, you must ensure that the FortiSASE SPA hub conforms to details mentioned in all previous sections of this guide up until this point, especially those sections covering Design concept and considerations, Product prerequisites, and Reviewing configuration settings of an existing FortiGate SD-WAN hub deployment previously configured using FortiManager.

To allow FortiSASE remote users with SPA to resources behind your FortiGate SD-WAN hub network, you can configure FortiSASE security points of presence as spokes in your hub-and-spoke network using the Secure Private Access page.

Configuration workflow

To configure SPA service connections (hubs), you must follow this configuration workflow in Network > Secure Private Access:

  1. Click the Network Configuration tab at the top of the page and configure the common network configuration settings. See Configuring network configuration.

  2. Click the Service Connections tab at the top of the page, click Create, and configure a new service connection (hub). See Configuring a new service connection.

Note You cannot configure a service connection or hub without first configuring Network Configuration settings.

BGP routing design

FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

BGP routing design overview

Example hub configuration for dual hub architecture

Example spoke configuration for dual hub architecture

BGP per overlay (default)

SD-WAN dual hub with VPN overlay and BGP routing - HUBs

SD-WAN dual hub with VPN overlay and BGP routing - Branches

BGP on loopback

BGP on loopback (Dual-Hub region) - Hub

BGP on loopback (Dual-Hub region) - Spoke

The example network topology uses the following settings configured in FortiSASE:

Configuration setting Value used in example network topology
Network Configuration settings
BGP routing design BGP per overlay
BGP router ID subnet 10.20.1.0/28
Autonomous system number (ASN) 65400
BGP recursive routing Enabled
Hub selection method Hub health and priority
Health check IP address 10.30.100.1
Service Connection settings
Name Datacenter 1
Remote gateway 1.2.3.4
Authentication method Pre-shared key
Pre-shared key mysecretkey
BGP peer IP address 10.20.1.253
Network Overlay ID 2

Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access

Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access

Note Before configuring the Secure Private Access settings in the FortiSASE portal, to ensure proper secure private access (SPA) functionality, you must ensure that the FortiSASE SPA hub conforms to details mentioned in all previous sections of this guide up until this point, especially those sections covering Design concept and considerations, Product prerequisites, and Reviewing configuration settings of an existing FortiGate SD-WAN hub deployment previously configured using FortiManager.

To allow FortiSASE remote users with SPA to resources behind your FortiGate SD-WAN hub network, you can configure FortiSASE security points of presence as spokes in your hub-and-spoke network using the Secure Private Access page.

Configuration workflow

To configure SPA service connections (hubs), you must follow this configuration workflow in Network > Secure Private Access:

  1. Click the Network Configuration tab at the top of the page and configure the common network configuration settings. See Configuring network configuration.

  2. Click the Service Connections tab at the top of the page, click Create, and configure a new service connection (hub). See Configuring a new service connection.

Note You cannot configure a service connection or hub without first configuring Network Configuration settings.

BGP routing design

FortiSASE supports FortiGate hubs for SPA using either BGP per overlay (default) or BGP on loopback. See the following table for an overview of each routing design and example FortiGate hub and spoke reference configurations that can be used for a typical SD-WAN dual hub deployment:

BGP routing design overview

Example hub configuration for dual hub architecture

Example spoke configuration for dual hub architecture

BGP per overlay (default)

SD-WAN dual hub with VPN overlay and BGP routing - HUBs

SD-WAN dual hub with VPN overlay and BGP routing - Branches

BGP on loopback

BGP on loopback (Dual-Hub region) - Hub

BGP on loopback (Dual-Hub region) - Spoke

The example network topology uses the following settings configured in FortiSASE:

Configuration setting Value used in example network topology
Network Configuration settings
BGP routing design BGP per overlay
BGP router ID subnet 10.20.1.0/28
Autonomous system number (ASN) 65400
BGP recursive routing Enabled
Hub selection method Hub health and priority
Health check IP address 10.30.100.1
Service Connection settings
Name Datacenter 1
Remote gateway 1.2.3.4
Authentication method Pre-shared key
Pre-shared key mysecretkey
BGP peer IP address 10.20.1.253
Network Overlay ID 2