Fortinet black logo

Version:

23.1.17

Table of Contents

SPA with a FortiGate SD-WAN Deployment Guide

23.1.17
23.1.17
Download PDF
Copy Link

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub or involving a FortiGate SD-WAN hub are use cases that allow broader and seamless access to both privately hosted TCP- and UDP-based applications.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to four datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

 

FortiSASE security points of presence and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For the FortiGate next generation firewall (NGFW) SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub. For deployment details for this use case, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide (FortiOS 7.0.7+) instead of this guide.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub or involving a FortiGate SD-WAN hub are use cases that allow broader and seamless access to both privately hosted TCP- and UDP-based applications.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs
  • SD-WAN with up to four datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

 

FortiSASE security points of presence and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

For the FortiGate next generation firewall (NGFW) SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub. For deployment details for this use case, see the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide (FortiOS 7.0.7+) instead of this guide.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.