Fortinet black logo

NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Home FortiSASE NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Verifying firewall policies on the hub FortiGate

Verifying firewall policies on the hub FortiGate

On the hub, when Policy creation is set to Automatic, verify that wildcard firewall policies have been configured on the hub FortiGate. For this fabric overlay orchestrator configuration example using Automatic, the following firewall policies are configured on the hub FortiGate:

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. Therefore, for some cases, these policies do not provide the granularity necessary to restrict overlay traffic to specific subnets or hosts.

On the hub, when Policy creation is set to Health Check, verify that a single firewall policy allowing health check traffic to the hub’s loopback has been configured on the hub FortiGate. For a fabric overlay orchestrator configuration example using Health Check, the following firewall policies are configured on the hub FortiGate:

On the hub, when Policy creation is set to Manual, verify that no firewall policies were created by the fabric overlay orchestrator. Firewall policies must be manually configured on the hub FortiGate to allow traffic to the loopback interface for health checks and the overlays, if desired.

Previous
Next

Verifying firewall policies on the hub FortiGate

On the hub, when Policy creation is set to Automatic, verify that wildcard firewall policies have been configured on the hub FortiGate. For this fabric overlay orchestrator configuration example using Automatic, the following firewall policies are configured on the hub FortiGate:

Note

The Automatic policy creation option creates wildcard allow policies for the tunnel overlays. Therefore, for some cases, these policies do not provide the granularity necessary to restrict overlay traffic to specific subnets or hosts.

On the hub, when Policy creation is set to Health Check, verify that a single firewall policy allowing health check traffic to the hub’s loopback has been configured on the hub FortiGate. For a fabric overlay orchestrator configuration example using Health Check, the following firewall policies are configured on the hub FortiGate:

On the hub, when Policy creation is set to Manual, verify that no firewall policies were created by the fabric overlay orchestrator. Firewall policies must be manually configured on the hub FortiGate to allow traffic to the loopback interface for health checks and the overlays, if desired.

Previous
Next