Fortinet black logo

SPA with a FortiGate SD-WAN Deployment Guide

Configuring a new service connection

Copy Link
Copy Doc ID 8c54df13-c519-11ee-8c42-fa163e15d75b:787383
Download PDF

Configuring a new service connection

You can create a new service connection (hub) using one of the following BGP routing design methods:

  • BGP per overlay (default)
  • BGP on loopback
Note

You configured the corresponding BGP routing design method in the Network Configuration tab.

After you create a service connection, you can update its authentication method using Update Authentication Method, namely, to switch from using a preshared key (PSK) to a certificate or vice-versa. You can also use this option to update the existing authentication method's settings, such as updating the PSK or updating the PKI user or certificate.

To configure service connections or hubs for BGP per overlay:
  1. Go to Network > Secure Private Access.
  2. On the Service Connection tab, click Create.
  3. Fill in the rest of the fields with the attributes of the FortiGate hub or service connection. FortiSASE validates the input and notifies you of any invalid values.

    Network attributes

    Description

    Example

    Name

    Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).

    Datacenter 1

    Remote gateway

    IPsec VPN remote gateway (public IP address) for the hub.

    1.2.3.4

    Authentication method

    Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate. Pre-shared key

    Pre-shared key (PSK)

    When Authentication Method is configured as Pre-shared key, define the hub PSK.

    mysecretkey

    PKI User

    When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.

    mypeer

    Certificate

    When Authentication Method is configured as Certificate, select the certificate to be presented by the security PoP. You must import this certificate into via System > Certificates as a Local Certificate.

    Fortinet_Factory

    BGP peer IP address

    On the hub, the IP address used as the BGP peer ID

    192.168.10.253

    Network overlay ID

    Define a unique network ID for each hub. If an active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.

    2

    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.

  4. Click Save.

  5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
  6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology. The following shows the GUI after configuring two service connections:

Note

For security points of presence (PoP), the SD-WAN performance SLA (health check) setting has the following parameters:

  • Latency threshold: 120 ms
  • Jitter threshold: 55 ms
  • Packet loss threshold: 1%

Also, for security PoPs, the SD-WAN rule is configured with the lowest cost (SLA) mode, where the security PoPs choose the lowest cost link (highest priority hub) that satisfies the SLA to forward traffic.

Note

In the SD-WAN rule used by each security PoP, the interface preference order matters when selecting links of equal cost (equal priority hubs). Therefore, to define interface preference order, you must configure service connections in in the desired order of preference from the most preferred hub to the least preferred hub.

To configure service connections or hubs for BGP on loopback:
  1. Go to Network > Secure Private Access.
  2. On the Service Connection tab, click Create.
  3. For the Create a New Secure Private Access Service Connection step, fill in the fields with the attributes of the FortiGate hub or service connection. performs input validation and notifies you of any invalid values.

    Network attributes

    Description

    Example

    Name

    Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).

    Datacenter 1

    Remote gateway

    IPsec VPN remote gateway (public IP address) for the hub.

    1.2.3.4

    Authentication method

    Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate.Pre-shared key

    Pre-shared key (PSK)

    When Authentication Method is configured as Pre-shared key, define the hub PSK.

    mysecretkey

    PKI User

    When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.

    mypeer

    Certificate

    When Authentication Method is configured as Certificate, select the certificate to be presented by the security PoP. You must import this certificate into via System > Certificates as a Local Certificate.

    Fortinet_Factory

    ADVPN Route Tag

    For BGP on loopback only, ADVPN route tag number for spoke to tag incoming routes advertised from a hub.

    See Enhanced BGP next hop updates and ADVPN shortcut override.

    1

    BGP peer IP address

    On the hub, the IP address used as the BGP peer ID

    10.10.10.253

    Network overlay ID

    Define a unique network ID for each hub. If a active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.

    2

    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.

  4. Click Save.

  5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
  6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology.
To update the authentication method settings for a service connection:
  1. Go to Network > Secure Private Access.

  2. On the Service Connection tab, click Update Authentication Method.

  3. Select the Authentication Method and configure the corresponding parameter(s):

    • New Pre-shared Key when Pre-shared Key is selected.

    • PKI User and Certificate when Certificate is selected.

  4. Click OK. Once successfully updates the authentication method for the service connection, it notifies you with the message Authentication method updated successfully.

Configuring a new service connection

You can create a new service connection (hub) using one of the following BGP routing design methods:

  • BGP per overlay (default)
  • BGP on loopback
Note

You configured the corresponding BGP routing design method in the Network Configuration tab.

After you create a service connection, you can update its authentication method using Update Authentication Method, namely, to switch from using a preshared key (PSK) to a certificate or vice-versa. You can also use this option to update the existing authentication method's settings, such as updating the PSK or updating the PKI user or certificate.

To configure service connections or hubs for BGP per overlay:
  1. Go to Network > Secure Private Access.
  2. On the Service Connection tab, click Create.
  3. Fill in the rest of the fields with the attributes of the FortiGate hub or service connection. FortiSASE validates the input and notifies you of any invalid values.

    Network attributes

    Description

    Example

    Name

    Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).

    Datacenter 1

    Remote gateway

    IPsec VPN remote gateway (public IP address) for the hub.

    1.2.3.4

    Authentication method

    Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate. Pre-shared key

    Pre-shared key (PSK)

    When Authentication Method is configured as Pre-shared key, define the hub PSK.

    mysecretkey

    PKI User

    When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.

    mypeer

    Certificate

    When Authentication Method is configured as Certificate, select the certificate to be presented by the security PoP. You must import this certificate into via System > Certificates as a Local Certificate.

    Fortinet_Factory

    BGP peer IP address

    On the hub, the IP address used as the BGP peer ID

    192.168.10.253

    Network overlay ID

    Define a unique network ID for each hub. If an active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.

    2

    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.

  4. Click Save.

  5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
  6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology. The following shows the GUI after configuring two service connections:

Note

For security points of presence (PoP), the SD-WAN performance SLA (health check) setting has the following parameters:

  • Latency threshold: 120 ms
  • Jitter threshold: 55 ms
  • Packet loss threshold: 1%

Also, for security PoPs, the SD-WAN rule is configured with the lowest cost (SLA) mode, where the security PoPs choose the lowest cost link (highest priority hub) that satisfies the SLA to forward traffic.

Note

In the SD-WAN rule used by each security PoP, the interface preference order matters when selecting links of equal cost (equal priority hubs). Therefore, to define interface preference order, you must configure service connections in in the desired order of preference from the most preferred hub to the least preferred hub.

To configure service connections or hubs for BGP on loopback:
  1. Go to Network > Secure Private Access.
  2. On the Service Connection tab, click Create.
  3. For the Create a New Secure Private Access Service Connection step, fill in the fields with the attributes of the FortiGate hub or service connection. performs input validation and notifies you of any invalid values.

    Network attributes

    Description

    Example

    Name

    Alias or comment associated with the hub. Maximum length of 25 characters with acceptable characters being alphanumeric characters, spaces, and dashes (-).

    Datacenter 1

    Remote gateway

    IPsec VPN remote gateway (public IP address) for the hub.

    1.2.3.4

    Authentication method

    Method used to authenticate with the FortiGate hub. Supports Pre-shared key (default) and Certificate.Pre-shared key

    Pre-shared key (PSK)

    When Authentication Method is configured as Pre-shared key, define the hub PSK.

    mysecretkey

    PKI User

    When Authentication Method is configured as Certificate, select the PKI user with valid subject and CA certificate used by to validate the hub’s certificate. You can directly create the PKI user from +Create or via Configuration > PKI, then select it here.

    mypeer

    Certificate

    When Authentication Method is configured as Certificate, select the certificate to be presented by the security PoP. You must import this certificate into via System > Certificates as a Local Certificate.

    Fortinet_Factory

    ADVPN Route Tag

    For BGP on loopback only, ADVPN route tag number for spoke to tag incoming routes advertised from a hub.

    See Enhanced BGP next hop updates and ADVPN shortcut override.

    1

    BGP peer IP address

    On the hub, the IP address used as the BGP peer ID

    10.10.10.253

    Network overlay ID

    Define a unique network ID for each hub. If a active hub triggers a shortcut between two spokes and there is a failover to another hub which also triggers a shortcut between the same two spokes, the latter shortcut connection fails if both hubs have the same network ID. Ensure that the IPsec VPN tunnels towards each hub have different network overlay IDs.

    2

    Note

    Because the following IP addresses ranges are reserved for FortiSASE internal usage, note the following network restrictions, and ensure your network configuration does not overlap with them:

    • 10.252.0.0/16
    • 10.253.0.0/16
    • 100.65.0.0/16
    Note

    For BGP per overlay, the BGP router ID subnet should not overlap with the subnet used for the BGP peer IP address. These settings should be unique values as the example values demonstrate.

    For BGP on loopback, the BGP router ID subnet should match the BGP peer IP address range defined on the hub.

  4. Click Save.

  5. Once FortiSASE successfully configures the service connection, it notifies you. The value in the Configuration State column changes from Creating to Success.
  6. (Optional) Repeat the steps to configure up to a total of four service connections as necessary to support your secure private access service connection network topology.
To update the authentication method settings for a service connection:
  1. Go to Network > Secure Private Access.

  2. On the Service Connection tab, click Update Authentication Method.

  3. Select the Authentication Method and configure the corresponding parameter(s):

    • New Pre-shared Key when Pre-shared Key is selected.

    • PKI User and Certificate when Certificate is selected.

  4. Click OK. Once successfully updates the authentication method for the service connection, it notifies you with the message Authentication method updated successfully.