This section describes how to use the SD-WAN overlay template to configure the overlay network.
The SD-WAN overlay provisioning template supports metafields for each input box that displays a magnifying glass.
For more information, see the FortiManager 7.2 Administration Guide.
- In FortiManager, go to Device Manager > Provisioning Templates > SD-WAN Overlay Templates.
- Click Create New. The Create New SD-WAN Overlay Template dialog box is displayed.
- Enter a name and description for the template, and click OK. The Region Settings pane is displayed.
- Set the region settings:
- Select Dual Hub (Primary & Primary).
- Expand Advanced, and modify the default IP address scheme for loopback and overlay networks, BGP-AS number, and to enable AD-VPN as desired.
- Click Next.The Role Assignment pane is displayed.
- Set the role assignment:
- Set Primary HUB to HUB1.
- Set Secondary HUB to Cloud-Gateway.
- Set Device Group Assignment to Branches.
- Click Next. The Network Configuration pane is displayed.
- Set the network configuration for the primary HUB:
- Under Primary HUB, set WAN Underlay 1 to port1.
- Set WAN Underlay 2 to port2.
- Expand Advanced.
- Click Create New. The Create New Neighbor pane is displayed.
- Set Neighbor IP to 172.16.1.1.
- Set Remote AS to 65100.
- Click OK. The BGP neighbor is created.
When entering the port name, it is case sensitive and must match the port as written on the FortiGate exactly.
Select Private Link if the port is on a private circuit, and you do not want to create an overlay network utilizing this link.
Select Override IP if you want to manually input an IP address that remote branches will connect to. This is commonly used in public cloud providers where interfaces have private IP address or other NAT’d environments.
- Set the network configuration for the secondary HUB:
- Under Secondary HUB, set WAN Underlay 1 to port1.
- Under Secondary HUB, click the x for WAN Underlay 2 to remove it.
- Set Network Advertisement to Connected.
A neighbor is configured for HUB1 to learn the route to the Corporate Datacenter LAN (192.168.1.0/24) and the Cloud resource network (172.20.1.0/24) over BGP. This is also why there is no need to specify a Network Advertisement; routes learned from an eBGP peer are re-advertised to all iBGP and eBGP peers by default.
- Set the network configuration for the branches device group:
- Scroll down to Branch Device Group, and set WAN Underlay 1 to port1.
- Set WAN Underlay 2 to port2.
- Set Network Advertisement to Connected and port3.
The Network Advertisement interface will be advertised to the rest of the SD-WAN region. In this example, port3 is our LAN interface for each branch, and so will advertise the branch’s LAN subnet.
- Click Next. The SD-WAN Template Options pane is displayed.
- Set the SD-WAN template options:
- Enable Add Overlay Objects to SD-WAN Template.
- In the list, click Create New to create a new SD-WAN template named Branch_SDWAN.
No configuration of the template is needed at this time.
- Enable Add Overlay Interfaces and Zones.
- Enable Add Healthcheck Servers for Each Hub as Performance SLA.
- Click Next.The Summary pane is displayed.
- Click Finish to save the template.