Fortinet black logo

Version:

23.3.0

Table of Contents

Deployment Guide

23.3.0
23.3.0
Download PDF
Copy Doc ID 2f66cf33-3c82-11ee-8e6d-fa163e15d75b:658086
Copy Link

Introduction

FortiCloud Overlay-as-a-Service (OaaS) is a service for FortiGate devices to easily provision new SD-WAN overlay networks from FortiCloud. OaaS is a subscription service providing an easy-to-use GUI wizard that simplifies the process of configuring an SD-WAN overlay within a single region. OaaS supports FortiGate devices running FortiOS 7.4.1 and later.

Currently, OaaS supports a geo-redundant, dual hub architecture where the SD-WAN overlay hub is powered by FortiOS and managed by FortiCloud, and your branch FortiGates and datacenter FortiGates are configured as spokes within this overlay.

  • OaaS and the spokes rely on Fortinet Inc.’s Auto-Discovery VPN (ADVPN), which allows the central hub to dynamically inform spokes about a better path for traffic between two spokes.

  • ADVPN shortcut tunnels, also known as shortcuts, are formed between spokes, such as between branches and the datacenter, or between branches themselves so that traffic does not need to pass through the hub.

Note

For successful setup of ADVPN tunnels, the spokes’ ISPs must allow traffic over UDP port 500 and UDP port 4500 for NAT traversal (NAT-T).

Essentially, the OaaS hub acts as a bridge to allow overlay shortcuts to be formed between your spokes.

Note

OaaS requires a license for each spoke, either as a FortiGate VM or a hardware FortiGate device.
Note

OaaS only supports FortiGate devices running FortiOS 7.4.1 and later.
Note

OaaS is the official replacement for OCVPN. Migration of deployments from OCVPN to OaaS is beyond the scope of this deployment guide. See the SD-WAN Overlay Migration from OCVPN to OaaS Deployment Guide.

This document covers the step-by-step procedures required to use OaaS to deploy the Fortinet Secure SD-WAN solution to a single SD-WAN region and configure a geo-redundant, dual hub architecture.

The architecture, components, and technology referenced in this document are covered in the Single datacenter (active-passive gateway) section of the SD-WAN Architecture for Enterprise guide.

For additional information and documentation about the topics covered in this document, please see the Fortinet Document Library at https://docs.fortinet.com.

This section contains the following topics:

Previous
Next

Introduction

FortiCloud Overlay-as-a-Service (OaaS) is a service for FortiGate devices to easily provision new SD-WAN overlay networks from FortiCloud. OaaS is a subscription service providing an easy-to-use GUI wizard that simplifies the process of configuring an SD-WAN overlay within a single region. OaaS supports FortiGate devices running FortiOS 7.4.1 and later.

Currently, OaaS supports a geo-redundant, dual hub architecture where the SD-WAN overlay hub is powered by FortiOS and managed by FortiCloud, and your branch FortiGates and datacenter FortiGates are configured as spokes within this overlay.

  • OaaS and the spokes rely on Fortinet Inc.’s Auto-Discovery VPN (ADVPN), which allows the central hub to dynamically inform spokes about a better path for traffic between two spokes.

  • ADVPN shortcut tunnels, also known as shortcuts, are formed between spokes, such as between branches and the datacenter, or between branches themselves so that traffic does not need to pass through the hub.

Note

For successful setup of ADVPN tunnels, the spokes’ ISPs must allow traffic over UDP port 500 and UDP port 4500 for NAT traversal (NAT-T).

Essentially, the OaaS hub acts as a bridge to allow overlay shortcuts to be formed between your spokes.

Note

OaaS requires a license for each spoke, either as a FortiGate VM or a hardware FortiGate device.
Note

OaaS only supports FortiGate devices running FortiOS 7.4.1 and later.
Note

OaaS is the official replacement for OCVPN. Migration of deployments from OCVPN to OaaS is beyond the scope of this deployment guide. See the SD-WAN Overlay Migration from OCVPN to OaaS Deployment Guide.

This document covers the step-by-step procedures required to use OaaS to deploy the Fortinet Secure SD-WAN solution to a single SD-WAN region and configure a geo-redundant, dual hub architecture.

The architecture, components, and technology referenced in this document are covered in the Single datacenter (active-passive gateway) section of the SD-WAN Architecture for Enterprise guide.

For additional information and documentation about the topics covered in this document, please see the Fortinet Document Library at https://docs.fortinet.com.

This section contains the following topics:

Previous
Next