Add Fabric Overlay Orchestrator for SD-WAN overlay configurations 7.2.4
This information is also available in the FortiOS 7.2 Administration Guide: |
The Fabric Overlay Orchestrator feature is an easy-to-use GUI wizard that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric. This feature is self-orchestrated since no additional tool or device, aside from the FortiGates themselves, is required to orchestrate this configuration. An SD-WAN overlay configuration consists of IPsec and BGP configuration settings.
Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and the downstream first-level FortiGates as the spokes.
After configuring the Fabric Overlay, you can complete the SD-WAN deployment by configuring SD-WAN rules.
If you cannot view the VPN > Fabric Overlay Orchestrator tree menu, configure the FortiGate as a root or a downstream device in the Security Fabric. See Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide for more details. |
The Fabric Overlay Orchestrator does not work when VDOM mode is enabled. |
Prerequisites
Create a single Fortinet Security Fabric with the following components:
-
A root FortiGate and one or more downstream FortiGates all running FortiOS 7.2.4 or later
-
A FortiAnalyzer, or cloud logging using FortiAnalyzer Cloud or FortiGate Cloud
-
For FortiGate Cloud, all downstream devices must belong to the same FortiCloud account
For more information about configuring these components, see Configuring the root FortiGate and downstream FortiGates, Configuring FortiAnalyzer, and Configuring cloud logging in the FortiOS Administration Guide.
-
Network topology
The Fabric Overlay Orchestrator supports configuring an overlay for the following hub and spoke topology using ADVPN and a single hub.
This topology corresponds to the single datacenter (active-passive gateway) design using the IPsec overlay design of one-to-one overlay mapping per underlay. For more details on these topics, see the SD-WAN Architectures for Enterprise guide.
In this topology, the datacenter FortiGate (Security Fabric root FortiGate) is the hub, and the branch FortiGates (Security Fabric downstream FortiGates) are the spokes. Each FortiGate has a distinctly defined LAN subnet and loopback interface (lb1) with an IP address within the 10.20.1.0/24 subnet.
The Fabric Overlay Orchestrator creates loopbacks to act as health check servers that are always up, and they can be accessed by adjacent Fabric devices. When configuring the policy creation option of either automatic or health check on the hub, the Fabric Overlay Orchestrator configures performance SLAs from the hub to the health check servers on 10.20.1.2 and 10.20.1.3 corresponding to the spoke 1 and spoke 2 FortiGates respectively. Likewise, when the Fabric Overlay Orchestrator runs on each spoke, it creates a performance SLA to the hub using its loopback address of 10.20.1.1.
Instead of using loopbacks, any business-critical applications and resources connected to the LAN of each device can be used as health check servers for performance SLAs.
Using the Fabric Overlay Orchestrator
The following steps should be used to configure a self-orchestrated SD-WAN overlay within a single Security Fabric. These steps must be followed in order, and assume that the prerequisites and network topology are in place.
-
Configure the root FortiGate using the Fabric Overlay Orchestrator.
-
Configure one or more downstream FortiGates using the Fabric Overlay Orchestrator.
-
Configure an overlay on the spoke for an additional incoming interface on the hub (if applicable).
-
Verify the firewall policies on the hub FortiGate.
-
Verify the Fabric Overlay created by the Fabric Overlay Orchestrator:
-
Verify the IPsec VPN tunnels on the hub FortiGate.
-
Verify BGP routing on the hub FortiGate.
-
Verify the performance SLAs on the hub FortiGate.
-
Verify the firewall policies on a spoke FortiGate.
-
Verify the IPsec VPN tunnels on a spoke FortiGate.
-
Verify BGP routing on a spoke FortiGate.
-
Verify the performance SLAs on a spoke FortiGate.
-
Verify the spoke-to-spoke ADVPN communication.
-
-
Configure SD-WAN rules on the hub FortiGate.
-
Configure SD-WAN rules on the spoke FortiGates.
When configuring the root and downstream FortiGates, the Fabric Overlay Orchestrator configures the following settings in the background:
-
IPsec overlay configuration (hub and spoke ADVPN tunnels)
-
BGP configuration
-
Policy routing
-
SD-WAN zones
-
SD-WAN performance SLAs
The FortiGate’s role in the SD-WAN overlay is automatically determined by its role in the Security Fabric. The Fabric root will be the hub, and any first-level downstream devices from the Fabric root will be spokes.
After using the Fabric Overlay Orchestrator on all FortiGates and verifying the overlay settings, complete the SD-WAN deployment configuration using steps 3 (if applicable), and steps 6 and 7. See SD-WAN rules in the FortiOS Administration Guide for more information.
For a detailed example configuration, see Using the Fabric Overlay Orchestrator in the FortiOS Administration Guide. |
Creating firewall policies
The Fabric Overlay Orchestrator can create firewall policies to allow all traffic through the SD-WAN overlay, or firewall policies to just allow health check traffic through it instead. When the Fabric Overlay Orchestrator is enabled on the root FortiGate, there are three Policy creation options:
-
Automatic: automatically create policies for the loopback interface and tunnel overlays.
-
Health check: automatically create a policy for the loopback interface so the SD-WAN health checks are functional.
-
Manual: no policies are automatically created.
The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts. |
When the Fabric Overlay Orchestrator is configured on a device, changing the policy creation rule will create new policies based on the rule, but it will not delete existing policies. Deleting existing policies must be performed manually. |