Fortinet recommended default IPSec and BGP templates for SD-WAN overlay setup 7.0.3
FortiManager 7.0.3 introduces new default BGP and IPsec templates with recommendations that are designed to help you configure SD-WAN overlays in a hub and spoke topology. The templates are based on Fortinet's best practice recommendations.
Overlays generally consist of a VPN portion and a dynamic routing portion. IPsec templates configure the network connectivity, while BGP templates configure the dynamic routing between all locations. The hub acts as a dialup server that accepts connections from dialup clients (SD-WAN branch device). The hub uses the mode-cfg
option to automatically assign IP addresses from the user defined network space to connecting branch devices. BGP neighbor configuration and neighbor range automatically accept BGP connections from the IP range configured with the mode-cfg
option.
Each overlay network requires its unique network space and network-id
defined in the IPsec template. The last two IP addresses of the network space should be reserved for the hub's IP address in the network and another for administrative use. For example, in a 10.10.10.0/24 overlay network:
- Spokes utilize 10.10.10.1 - 10.10.10.252
- Hub reserves 10.10.10.253
- Last usable is reserved for the remote IP section of the hub's interface: 10.10.10.254
Keep these guidelines in mind when configuring templates for SD-WAN overlays.
In the FortiManager GUI, you can access the new templates by going to Device Manager > Provisioning Templates. You must activate the templates before you can use them. Once activated, a popup pane is displayed, prompting you to enter details specific to your environment. Although the templates are designed for branch and hub devices, you can modify the templates as necessary after you create them.
This topic contains the following sections:
Using recommended BGP templates
FortiManager includes the following BGP templates of recommendations to help you configure SD-WAN overlays:
Template Name |
Description |
---|---|
BRANCH_BGP_Recommended | Fortinet's recommended BGP template for branch device configurations. |
HUB_BGP_Recommended | Fortinet's recommended BGP template for hub device configurations. |
You must activate the recommended templates to use them. After you created a BGP template for your environment, you can edit, delete, or clone the BGP template.
Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.
This section describes how to:
- Activate and create a BGP hub template by using the HUB_BGP_Recommended template. See Activating and creating a hub BGP template.
- Activate and create a BGP branch template by using the BRANCH_BGP_Recommended template. See Activating and creating a branch BGP template.
Activating and creating a hub BGP template
This section describes how to activate and create a BGP template for a hub device. The HUB_BGP_Recommended template guides you to complete the required settings for your environment.
To activate and create a recommended BGP hub template:
- Go to Device Manager > Provisioning Templates > BGP Templates.
The following recommended BGP templates are available:
- HUB_BGP_Recommended
- BRANCH_BGP_Recommended
- Right-click the HUB_BGP_Recommended template, and select Activate.
The Activate HUB_BGP_Recommended pane is displayed.
- Complete the options, and click OK to create the template.
Template Name Enter a name for the template. Enable ADVPN
Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).
Local AS
Enter the local autonomous system (AS) number.
Router ID
Enter the router ID. The router ID is the unique IP address used to identify the hub device.
Neighbor
Enter the neighbor IP and Remote AS. The neighbor IP is the IP address used while peering as a neighbor.
Neighbor Group
Enter the neighbor group's Remote AS. Neighbor Range
Enter the neighbor range Prefix. This is the network range that branch devices use to connect to the hub.
Networks
Enter the networks Prefix.
The following example uses meta fields in combination with the template.
Activating and creating a branch BGP template
This section describes how to activate and create a BGP template for a branch device. The BRANCH_BGP_Recommended template guides you to complete the required settings for your environment.
To activate and create a branch BGP template:
- Go to Device Manager > Provisioning Templates > BGP Templates.
The following recommended BGP templates are available:
- HUB_BGP_Recommended
- BRANCH_BGP_Recommended
- Right-click the BRANCH_BGP_Recommended template, and select Activate.
- Complete the options, and click OK to create the template.
Template Name Enter a name for the template. Enable ADVPN
Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).
Local AS
Enter the branch's local autonomous system (AS) number.
Router ID
Enter the router ID. The router ID is the unique IP address used to identify the branch device.
Neighbor
Enter the neighbor IP and Remote AS.
Networks
Enter the networks Prefix.
The following example uses meta fields in combination with the template.
Using recommended IPsec templates
FortiManager includes the following recommended IPsec templates to help you configure SD-WAN overlays:
Template Name |
Description |
---|---|
HUB_IPSec_Recommended | Fortinet's recommended template for hub IPSec tunnels. |
Branch_IPSec_Recommended | Fortinet's recommended template for IPSec branch device configurations. |
IPSec_Fortinet_Recommended | Fortinet's recommended template for IPSec configurations. This template is not used for SD-WAN configuration. |
Recommended IPsec templates come preconfigured with best practice recommendations for use within your environment. These templates can be used to simplify deployment of SD-WAN interconnected sites.
You must activate the recommended templates to use them. After you create an IPsec template for your environment, you can edit, delete, or clone the template.
Meta fields can be used with a recommended template's required fields to ensure that fields are unique when the template is assigned to multiple devices.
This section describes how to:
- Activate and create an IPsec branch template by using the Branch_IPSec_Recommended template. See Activating and creating a branch IPsec template.
- Activate and create an IPsec hub template by using the HUB_IPSec_Recommended template. See Activating and creating a hub IPsec template.
Activating and creating a branch IPsec template
This section describes how to activate and create an IPsec template for a branch device. The Branch_IPSec_Recommended template guides you to complete the required settings for your environment.
To activate and create a branch IPsec template:
- Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.
The following recommended IPsec templates are available:
- Branch_IPSec_Recommended
- HUB_IPSec_Recommended
- IPSec_Fortinet_Recommended
- Right-click the Branch_IPSec_Recommended template, and click Activate.
A pane is displayed where you can enter details specific to your environment.
- Complete the options, and click OK to create the template.
Template Name Enter a name for the template. Enable ADVPN
Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).
Outgoing Interface Enter the outgoing interface. This is the physical port from which the tunnel connection is initiated.
Local ID Enter a Local ID. This is used to identify devices connecting to the hub. Remote Gateway Enter the remote gateway. Pre-shared Key Enter the pre-shared key. The following example uses meta fields in combination with the template.
A new template is created based on the recommended template you selected and the configuration details provided.
Activating and creating a hub IPsec template
This section describes how to activate and create an IPsec template for a hub device. The HUB_IPSec_Recommended template guides you to complete the required settings for your environment.
To activate and create a hub IPsec template:
- Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.
The following recommended IPsec templates are available:
- Branch_IPSec_Recommended
- HUB_IPSec_Recommended
- IPSec_Fortinet_Recommended
- Right-click the HUB_IPSec_Recommended template, and click Activate.
A dialog will appear where you can enter configuration details specific to your environment.
- Complete the options, and click OK.
Template Name Enter a name for the template. Enable ADVPN
Optionally, toggle this setting to enable Auto Discovery VPN (ADVPN).
Outgoing Interface Enter the outgoing interface. This is the physical port that the branch devices are connecting in on. IPv4 Start IP Enter the first usable IP address in the range.
IPv4 End IP Enter the last usable IP address in the range.
IPv4 Netmask Enter the IPv4 netmask. Pre-shared Key Enter the pre-shared key. The following example uses meta fields in combination with the template.