SD-WAN overlay templates
Most SD-WAN deployments require complex overlay configurations for datacenter or cloud connectivity. FortiManager 7.2.0 includes an SD-WAN overlay template with a wizard to automate and simplify the process using Fortinet's recommended IPsec and BGP templates.
Note that the overlay template does not provide any SD-WAN intelligence. Please configure a SD-WAN template to complete the SD-WAN configuration. The overlay template also assumes connectivity between the HUB and branch in order to build the overlay tunnels. This can be accomplished in a variety of ways, such as static routes, dynamic routing protocol (BGP) or through a DHCP provided static route.
This topic includes the following.
- Prerequisites and network planning
- Using the SD-WAN overlay template
- Configuring an SD-WAN overlay template
For more information, including editing a template and onboarding new SD-WAN branch devices, see the FortiManager Administration Guide.
Prerequisites and network planning
Prerequisites
- Import the FortiGate devices that will make up the hub and branch devices into FortiManager.
- Configure the ISP links and other interfaces on your imported devices.
- Create a device group for your branch devices.
Network planning
- Allocate the overlay network address space. By default, the template uses
10.10.0.0/16
. - Allocate the loopback IP address space. By default, the template uses
172.16.0.0/16
. - Select an AS number for BGP for the new SD-WAN overlay region. By default, the template uses
65000
.
Using the SD-WAN overlay template
To use the SD-WAN overlay template:
- Pre-configure your network and SD-WAN devices.
- Create an SD-WAN overlay template.
- Assign metadata variables to devices. The branch_id variable is automatically created by the template and each branch device must be assigned a unique value. Additional custom metadata variables can be used if required.
- Configure the SD-WAN rules to include the newly created overlays by creating or editing an SD-WAN template.
- Create the Policy Package for your branch and hub devices.
- Install the changes to SD-WAN devices using the Install Wizard.
- (Optional) Edit the SD-WAN overlay template.
- (Optional) Add new branch devices.
Configuring an SD-WAN overlay template
To create an SD-WAN overlay template:
- Go to Device Manager > Provisioning Templates > SD-WAN Overlay Templates.
- Click Create New.
The Create New SD-WAN Overlay Template wizard opens. - Enter a name and description for the new SD-WAN overlay template, and click OK.
- For the Region Settings, select a topology type, and click Next.
Select New Topology Select a topology type based on your environment. Topologies include the following:
- Single Hub
- Dual Hub (Primary/Secondary)
- Dual Hub (Primary/Primary)
The options presented in the wizard change based on the topology selected.
Primary/Secondary and Primary/Primary are the same configuration, with the difference being that in a Primary/Secondary deployment, the Secondary hub is given a higher cost than the Primary. This cost is controlled by the SDWAN rule.
Advanced
Expand to view additional configurable settings.
These fields are preconfigured with settings that will work in many situations, but you may need to adjust these to match your own networking environment. They should match the addresses you identified when considering the SD-WAN overlay template prerequisites.
Loopback IP Address
Optionally, you can configure the loopback IP address.
By default, this setting is set to
172.16.0.0/255.255.0.0
.Overlay Network
Optionally, you can configure the overlay network.
By default, this setting is set to
10.10.0.0/255.255.0.0
.BGP-AS Number
Optionally, you can configure the BGP AS number.
By default, this setting is set to
65000
.Auto-Discovery VPN
Optionally, you can toggle this setting ON to enable Auto Discovery VPN (ADVPN).
- For the Role Assignment, configure the following settings and click Next.
Topology Optionally, you can change the topology type that you selected on the previous screen. Hub Select the SD-WAN hubs. The number of hubs required depend on the topology selected:
- Single Hub: One standalone hub.
- Dual Hub (Primary & Secondary): One primary and one secondary hub.
- Dual Hub (Primary & Primary): Two primary hubs.
Hub devices must be added to FortiManager before creating the SD-WAN overlay template.
Branch Select the device group containing your SD-WAN branch devices.
Devices included in this device group are configured as SD-WAN branch devices as a part of this template.
Additional devices can be added to the selected device group later to receive the SD-WAN branch configuration when performing an installation on that device. This simplifies the onboarding of new branch devices.
- For the Network Configuration, configure the following settings and click Next.
Hub Configure the network settings for each hub in your configuration. The number and types of hubs present depend on the topology you selected.
WAN Underlay
Type the interfaces for each WAN underlay. You can add additional WAN underlays by clicking the add icon.
For each WAN underlay, you can optionally enable the following settings:
- Private Link: No overlays will be created on private links.
- Override IP: Override the IP address for the WAN underlay with the provided IP address. This option is not available when Private Link is enabled.
Network Advertisement
- Configure network advertisement for the hub. Network advertisement can be set to one of the following:
- Connected: Type the network interface to advertise. Additional interfaces can be added by clicking the add icon.
- Static: Type the network prefix to advertise. Additional network prefixes can be added by clicking the add icon.
Advanced
Expand to view advanced settings, including configuration of SD-WAN neighbors.
Click Neighbors > Create New to add a new SD-WAN neighbor for the hub.
Branch Route Maps
Optionally, move the toggle to the ON position to enable branch maps, and then select the corresponding route map. You can create a new route map by clicking the add icon.
Branch
Configure the network settings for the branch devices in your configuration.
WAN Underlay
Type the interfaces for the SD-WAN branch WAN underlay. You can add additional WAN underlays by clicking the add icon.
For each WAN underlay, you can optionally enable the following settings:
- Private Link: No overlays will be created on private links.
Network Advertisement
Configure network advertisement for the branch. Network advertisement can be set to one of the following:
- Connected: Type the network interface to advertise. Additional interfaces can be added by clicking the add icon.
- Static: Type the network prefix to advertise. Additional network prefixes can be added by clicking the add icon.
Advanced
Expand to view advanced settings, including configuration of route maps for hub overlays. You can apply the route map settings to all hub overlays or specify them individually.
- For the Template Options, configure the following settings and click Next.
Add Overlay Objects to SD-WAN Template
Optionally, you can toggle this setting ON to automatically add the overlay objects configured by this template to a new or existing SD-WAN template.
Select an existing SD-WAN template or click the add icon to create a new SD-WAN template.
Add Overlay Interfaces and Zones Optionally, you can toggle this setting ON to add overlay interfaces and zones. Add Healthcheck Servers for Each HUB as Performance SLA Optionally, you can toggle this setting ON to add health check servers for each hub as performance SLAs. - The summary window displays a summary of the SD-WAN overlay configurations that will be created by this template.
- When you click Finish, multiple provisioning templates are created based on the information you provided. The templates are automatically assigned to the devices specified by the wizard.
- When complete, you can deploy the SD-WAN provisioning templates in your environment.