Fortinet black logo

SaaS remote internet breakout

7.2.0
Copy Link
Copy Doc ID 26c6e1e8-cd7a-11ec-bb32-fa163e15d75b:762442
Download PDF

SaaS remote internet breakout

SaaS remote internet breakout is used when branch traffic needs to route a SaaS application (for example, a VoIP solution) through the HUB.

You can use this configuration to enable SaaS remote internet breakout on the branch devices. This allows branch devices to access cloud applications through the hub device. The spoke device routes only Ringcentral VoIP traffic through hub overlays. The SD-WAN rule is set to set gateway enable to override the route table and send traffic that matches this application through the hub.

Following is a summary of configuring SaaS remote internet breakout:

  1. Create an SD-WAN rule for cloud applications. See Creating an SD-WAN rule for cloud applications.
  2. Create a policy to allow traffic on the hub. See Creating a policy to allow traffic on the hub .

Creating an SD-WAN rule for cloud applications

To create an SD-WAN rule:
  1. Go to Device Manager > Provisioning Templates > SD-WAN Templates.
  2. Double-click the Branches template to open it for editing.
  3. Under SD-WAN Rules, click +Create New. The Create New SD-WAN Rule pane is displayed.
  4. Complete the following options, and click OK to save the new rule:

    Name

    Cloud Applications

    Destination

    1. Select Internet Service.
    2. Click the box beside Application Group, and click + to create a new application group.
    3. Set Name to Cloud_Applications.
    4. Set Application to Ringcentral (ID: 42635).
    5. Click OK to save the application group.

    Strategy

    Lowest Cost (SLA)

    Interface Preference

    HUB1-VPN1, HUB1-VPN2

    Required SLA Target

    Hub1_HC

    Advanced Options

    Enable gateway.

  5. Move the rule to the position two (2) below Corporate_Traffic.
  6. Click OK to save the SD-WAN template.

Creating a policy to allow traffic on the hub

To create a policy to allow traffic on the hub device:
  1. Go to Policy & Objects.
  2. Select the HUB policy package, and click +Create New to define a new policy.
  3. Set the following options, and click OK:

    Name

    Remote Internet Breakout

    Incoming Interface

    Branches

    Outgoing Interface

    WAN1, WAN2

    IPv4 Source Address

    Branch network

    IPv4 Destination Address

    all

    Action

    Accept

    NAT

    Enabled

  4. Install the branch and hub policy packages.

SaaS remote internet breakout

SaaS remote internet breakout is used when branch traffic needs to route a SaaS application (for example, a VoIP solution) through the HUB.

You can use this configuration to enable SaaS remote internet breakout on the branch devices. This allows branch devices to access cloud applications through the hub device. The spoke device routes only Ringcentral VoIP traffic through hub overlays. The SD-WAN rule is set to set gateway enable to override the route table and send traffic that matches this application through the hub.

Following is a summary of configuring SaaS remote internet breakout:

  1. Create an SD-WAN rule for cloud applications. See Creating an SD-WAN rule for cloud applications.
  2. Create a policy to allow traffic on the hub. See Creating a policy to allow traffic on the hub .

Creating an SD-WAN rule for cloud applications

To create an SD-WAN rule:
  1. Go to Device Manager > Provisioning Templates > SD-WAN Templates.
  2. Double-click the Branches template to open it for editing.
  3. Under SD-WAN Rules, click +Create New. The Create New SD-WAN Rule pane is displayed.
  4. Complete the following options, and click OK to save the new rule:

    Name

    Cloud Applications

    Destination

    1. Select Internet Service.
    2. Click the box beside Application Group, and click + to create a new application group.
    3. Set Name to Cloud_Applications.
    4. Set Application to Ringcentral (ID: 42635).
    5. Click OK to save the application group.

    Strategy

    Lowest Cost (SLA)

    Interface Preference

    HUB1-VPN1, HUB1-VPN2

    Required SLA Target

    Hub1_HC

    Advanced Options

    Enable gateway.

  5. Move the rule to the position two (2) below Corporate_Traffic.
  6. Click OK to save the SD-WAN template.

Creating a policy to allow traffic on the hub

To create a policy to allow traffic on the hub device:
  1. Go to Policy & Objects.
  2. Select the HUB policy package, and click +Create New to define a new policy.
  3. Set the following options, and click OK:

    Name

    Remote Internet Breakout

    Incoming Interface

    Branches

    Outgoing Interface

    WAN1, WAN2

    IPv4 Source Address

    Branch network

    IPv4 Destination Address

    all

    Action

    Accept

    NAT

    Enabled

  4. Install the branch and hub policy packages.