Fortinet black logo

SD-WAN Deployment with Fabric Overlay Orchestrator

Home FortiGate / FortiOS 7.2.0 SD-WAN Deployment with Fabric Overlay Orchestrator
7.2.0
7.2.0

Verifying firewall policies on a spoke

Verifying firewall policies on a spoke

Different policies are created on the spoke FortiGates based on the hub's Policy creation setting in the Fabric Overlay Orchestrator configuration (Automatic, Health check, or Manual). The Automatic setting is used in this example.

To verify the firewall policies on a spoke:

  1. Go to Policy & Objects > Firewall Policy.

  2. Verify that wildcard firewall policies have been configured.

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts.

If the hub's Policy creation setting is Health Check, a single firewall policy that allows health check traffic to the spoke’s loopback should be configured on the spoke FortiGates:

If the hub's Policy creation setting is Manual, there should be no new policies created by the Fabric Overlay Orchestrator. If desired, firewall policies must be manually configured on the spoke FortiGates to allow traffic to the loopback interface for health checks and the overlays.

Previous
Next

Verifying firewall policies on a spoke

Different policies are created on the spoke FortiGates based on the hub's Policy creation setting in the Fabric Overlay Orchestrator configuration (Automatic, Health check, or Manual). The Automatic setting is used in this example.

To verify the firewall policies on a spoke:

  1. Go to Policy & Objects > Firewall Policy.

  2. Verify that wildcard firewall policies have been configured.

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts.

If the hub's Policy creation setting is Health Check, a single firewall policy that allows health check traffic to the spoke’s loopback should be configured on the spoke FortiGates:

If the hub's Policy creation setting is Manual, there should be no new policies created by the Fabric Overlay Orchestrator. If desired, firewall policies must be manually configured on the spoke FortiGates to allow traffic to the loopback interface for health checks and the overlays.

Previous
Next