Version:


Table of Contents

23.1.8
Download PDF
Copy Link

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub and involving a FortiGate SD-WAN hub are the SPA use cases that allow broader and seamless access to privately hosted applications, both TCP- and UDP-based.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub and involving a FortiGate SD-WAN hub are the SPA use cases that allow broader and seamless access to privately hosted applications, both TCP- and UDP-based.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

FortiGate SD-WAN network deployments are expected to conform to Fortinet’s best practices for SD-WAN architecture and deployment for the following topologies:

  • SD-WAN with a single datacenter/hub
  • SD-WAN with dual datacenters/hubs

Fortinet’s best practices for SD-WAN deployments include using FortiManager to manage the FortiGate SD-WAN hub and spoke devices configuration.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE PoPs to act as spokes with a new or existing FortiGate SD-WAN hub-and-spoke network deployment. This guide covers the cases when the newly deployed or existing FortiGate SD-WAN network is managed using FortiManager according to Fortinet’s SD-WAN best practices. After performing subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

Intended audience

Midlevel network and security administrators of FortiGate devices with SD-WAN configurations in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, SD-WAN, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a new or existing FortiGate SD-WAN network.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.