Fortinet black logo

NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Home FortiSASE NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

General steps

General steps

The following general steps should be used to configure a self-orchestrated SD-WAN overlay within a single Security Fabric.

These steps must be followed in this order and assume that the prerequisites and network topology above are in place.

  1. Configure the root FortiGate using the Fabric Overlay Orchestrator.
  2. Configure one or more downstream FortiGates using the Fabric Overlay Orchestrator.
  3. Configure an overlay on spoke for additional incoming interface on hub (if applicable).
  4. Verify the Fabric Overlay created by the Fabric Overlay Orchestrator:
    1. Verify IPsec VPN tunnels on the hub FortiGate.
    2. Verify BGP Routing on the hub FortiGate.
    3. Verify the Performance SLAs on the hub FortiGate.
    4. Verify IPsec VPN Tunnels on a spoke FortiGate.
    5. Verify BGP Routing on a spoke FortiGate.
    6. Verify the Performance SLA on a spoke FortiGate.

When configuring the root and downstream FortiGates, the Fabric Overlay Orchestrator configures the following settings in the background:

  • IPsec overlay configuration (Hub-and-Spoke ADVPN tunnels)
  • BGP configuration
  • Policy routing
  • SD-WAN zone
  • SD-WAN performance SLAs

The FortiGate’s role in the SD-WAN overlay is automatically determined by its role in the Security Fabric. The Fabric Root will have the role of the Hub and any first-level children (downstream devices) from the Fabric Root will have the role of a Spoke.

Previous
Next

General steps

The following general steps should be used to configure a self-orchestrated SD-WAN overlay within a single Security Fabric.

These steps must be followed in this order and assume that the prerequisites and network topology above are in place.

  1. Configure the root FortiGate using the Fabric Overlay Orchestrator.
  2. Configure one or more downstream FortiGates using the Fabric Overlay Orchestrator.
  3. Configure an overlay on spoke for additional incoming interface on hub (if applicable).
  4. Verify the Fabric Overlay created by the Fabric Overlay Orchestrator:
    1. Verify IPsec VPN tunnels on the hub FortiGate.
    2. Verify BGP Routing on the hub FortiGate.
    3. Verify the Performance SLAs on the hub FortiGate.
    4. Verify IPsec VPN Tunnels on a spoke FortiGate.
    5. Verify BGP Routing on a spoke FortiGate.
    6. Verify the Performance SLA on a spoke FortiGate.

When configuring the root and downstream FortiGates, the Fabric Overlay Orchestrator configures the following settings in the background:

  • IPsec overlay configuration (Hub-and-Spoke ADVPN tunnels)
  • BGP configuration
  • Policy routing
  • SD-WAN zone
  • SD-WAN performance SLAs

The FortiGate’s role in the SD-WAN overlay is automatically determined by its role in the Security Fabric. The Fabric Root will have the role of the Hub and any first-level children (downstream devices) from the Fabric Root will have the role of a Spoke.

Previous
Next