SD-WAN Overlay Migration from OCVPN to OaaS Deployment Guide

Home Overlay-as-a-Service 23.4.0 SD-WAN Overlay Migration from OCVPN to OaaS Deployment Guide

23.4.0

Preparing the FortiGate SD-WAN devices

Complete the following tasks to prepare your FortiGate devices to be used by OaaS as site or spoke devices in the SD-WAN network:

Register the FortiGate devices with FortiCloud, and activate the FortiGate devices with FortiGate Cloud. See Registering with FortiCloud and activating with FortiGate Cloud.
Configure each FortiGate with a WAN IP address and a default gateway IP address for accessing the Internet. See Configuring the FortiGate.

Registering with FortiCloud and activating with FortiGate Cloud

The FortiGate devices must be registered with FortiCloud and activated with FortiGate Cloud.

This step is required because OaaS uses the FortiCloud management tunnel to FortiGates for retrieving interface information and to install configuration settings orchestrated from OaaS.

Typically, for FortiGate devices already registered with FortiCloud, you can activate them on the FortiGate GUI.

To configure an additional incoming interface on a spoke:

Go to Dashboard > Status.
In the FortiGate Cloud widget, click Not Activated > Activate.
Enter the password for the account that was used to register the FortiGate.
Click OK.
The FortiGate Cloud widget now shows the activated FortiCloud account.

For details on registering products, see Registering assets in the FortiCloud Asset Management Guide.

For details on activating the FortiGate with FortiGate Cloud, see FortiCare and FortiGate Cloud login in the FortiOS Administration Guide.

Configuring the FortiGate

The FortiGate must be configured with a WAN IP address and default gateway for accessing the Internet. See Basic configuration in the FortiOS Administration Guide.

The local interface IP address for the local subnet must be configured as well. See Interface settings in the FortiOS Administration Guide.

OaaS has specific requirements for the FortiGate configuration prior to orchestration:

WAN and LAN ports must not be in any predefined zone and must not be a member of any other SD-WAN zone. See Zone in the FortiOS Administration Guide.
WAN and LAN ports must not be bound to any existing firewall policies. See Firewall Policy in the FortiOS Administration Guide.
For the direct or indirect local subnet port configured in OaaS, do not use a switch or aggregate interface member port. See Software switch, Hardware switch, and Aggregation and redundancy in the FortiOS Administration Guide.

These steps are required because OaaS will be obtaining the interface configuration and displaying it for overlay configuration in the OaaS portal.

Deleting firewall policies for WAN and LAN ports will disrupt all user traffic including outgoing Internet access and incoming server access on your network and should not be performed on FortiGate devices in production environments.

Ensure you have scheduled a maintenance window and have performed a FortiGate configuration backup before removing any firewall policies. See Configuration Backups in the FortiOS Administration Guide.

After installing the configuration settings orchestrated by OaaS, you must selectively restore the firewall policies for WAN ports and must recreate firewall policies for LAN ports using the oaas_lan_zone instead of LAN ports to restore all user traffic on your network.