In FortiOS 7.2.4 and earlier, FortiOS supports Overlay Controller VPN (OCVPN), which is a cloud based solution to simplify IPsec VPN setup. When OCVPN is enabled, IPsec phase1-interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare using the same FortiCare account.
FortiCloud Overlay-as-a-Service (OaaS) is a service for FortiGate devices to easily provision new SD-WAN overlay networks from FortiCloud. OaaS is a subscription service providing an easy-to-use GUI wizard that simplifies the process of configuring an SD-WAN overlay within a single region. OaaS supports FortiGate devices running FortiOS 7.4.1 and later.
Currently, OaaS supports a geo-redundant, dual hub architecture where the SD-WAN overlay hub is powered by FortiOS and managed by FortiCloud, and your branch FortiGates and datacenter FortiGates are configured as spokes within this overlay.
OaaS and the spokes rely on Fortinet Inc.’s Auto-Discovery VPN (ADVPN), which allows the central hub to dynamically inform spokes about a better path for traffic between two spokes.
ADVPN shortcut tunnels, also known as just shortcuts, are formed between spokes, such as between branches and the datacenter, or between branches themselves so that traffic does not need to pass through the hub.
Essentially, the OaaS hub acts as a bridge to allow overlay shortcuts to be formed between your spokes.
OaaS requires a license for each spoke, either as a FortiGate VM or a hardware FortiGate device.
OaaS only supports FortiGate devices running FortiOS 7.4.1 and later.
This document provides a deployment example of Fortinet Inc.’s Secure SD-WAN solution covering the migration of an existing hub-spoke SD-WAN with ADVPN shortcut solution orchestrated using OCVPN to the geo-redundant, dual hub architecture for a single SD-WAN region orchestrated using OaaS.
Using a similar scenario and topology example from the Single datacenter (active-passive gateway) section of the SD-WAN Architecture for Enterprise guide, we will walk through deploying the core components by providing configuration examples to help you migrate from OCVPN to OaaS for a hub-spoke ADVPN shortcut SD-WAN overlay solution.
The goal is to pivot from reliance on the OCVPN cloud portal and OCVPN-generated configuration on the FortiGate devices to using the FortiCloud OaaS cloud portal and an OaaS topology to generate SD-WAN overlay configuration on these devices. We will focus on the services located within on-premise datacenters and on providing users working in regional branches or offices with access to those services.
This guide is primarily created for a technical audience, including system architects and design engineers, who want to deploy Fortinet Inc. Secure SD-WAN in brownfield, or existing scenarios where the existing solution has been orchestrated using OCVPN.
For implementation, a working knowledge of FortiOS networking and policy configuration is ideal.
This guide provides the design and steps for deploying a specific architecture. Readers should first evaluate their environment to determine whether the architecture and design outlined in this guide suits them. It is advised to review the Single datacenter (active-passive gateway) section of the SD-WAN Architecture for Enterprise guide if readers are still in the process of selecting the right architecture. This guide is part of the 4-D documentation series.