Version:


Table of Contents

7.2.0
Download PDF
Copy Link

Solution overview

This guide is separated into the following parts:

  1. In FortiManager, configure the overlay network using the SD-WAN Overlay Provisioning Template.

    One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh. Full mesh overlay mapping is generally not recommended for multi-datacenter deployments, unless there is a specific use case by which this may be required.

  2. Assign Meta fields to Branch devices.
  3. Configure SD-WAN rules for Corporate and Internet traffic

    Direct Internet Access (DIA): used when local internet breakout at a branch location is required. This is typically SaaS applications or websites, located on the internet, which the branches will access directly. SD-WAN applies intelligence to select the best WAN link for this access.

    Branch to Corporate LAN: Preference is given to the primary DC connections when accessing corporate resources. If the primary DC is unable to meet SLA requirements, the secondary DC is selected.

  4. Create a Policy Package for the Branches and Hub.
    • Branches
      1. Branch to DC
      2. Branch to internet.
    • Hub
      1. Branch to DC
      2. SLA-healthcheck
  5. Deploy the configuration to the devices.

The majority of the configuration and complexity is handled by the FortiManager SD-WAN Overlay Template, which generates the configuration required for BGP, SD-WAN, IPsec VPN, and CLI configurations for loopback interfaces and BGP.

FortiManager provides continued value post deployment through SD-WAN monitoring, IPsec monitoring, and change management.

Solution overview

This guide is separated into the following parts:

  1. In FortiManager, configure the overlay network using the SD-WAN Overlay Provisioning Template.

    One-to-one overlay mapping per underlay: in this design, each branch underlay terminates a new IPsec tunnel to one—and only one—gateway underlay. This is the most common overlay design, and simplifies our configuration, but also provides less redundancy than the subsequent full mesh. Full mesh overlay mapping is generally not recommended for multi-datacenter deployments, unless there is a specific use case by which this may be required.

  2. Assign Meta fields to Branch devices.
  3. Configure SD-WAN rules for Corporate and Internet traffic

    Direct Internet Access (DIA): used when local internet breakout at a branch location is required. This is typically SaaS applications or websites, located on the internet, which the branches will access directly. SD-WAN applies intelligence to select the best WAN link for this access.

    Branch to Corporate LAN: Preference is given to the primary DC connections when accessing corporate resources. If the primary DC is unable to meet SLA requirements, the secondary DC is selected.

  4. Create a Policy Package for the Branches and Hub.
    • Branches
      1. Branch to DC
      2. Branch to internet.
    • Hub
      1. Branch to DC
      2. SLA-healthcheck
  5. Deploy the configuration to the devices.

The majority of the configuration and complexity is handled by the FortiManager SD-WAN Overlay Template, which generates the configuration required for BGP, SD-WAN, IPsec VPN, and CLI configurations for loopback interfaces and BGP.

FortiManager provides continued value post deployment through SD-WAN monitoring, IPsec monitoring, and change management.