General steps
The following general steps should be used to configure a self-orchestrated SD-WAN overlay within a single Security Fabric.
These steps must be followed in this order and assume that the prerequisites and network topology above are in place.
- Configure the root FortiGate using the Fabric Overlay Orchestrator.
- Configure one or more downstream FortiGates using the Fabric Overlay Orchestrator.
- Configure an overlay on spoke for additional incoming interface on hub (if applicable).
- Verify the Fabric Overlay created by the Fabric Overlay Orchestrator:
- Verify IPsec VPN tunnels on the hub FortiGate.
- Verify BGP Routing on the hub FortiGate.
- Verify the Performance SLAs on the hub FortiGate.
- Verify IPsec VPN Tunnels on a spoke FortiGate.
- Verify BGP Routing on a spoke FortiGate.
- Verify the Performance SLA on a spoke FortiGate.
When configuring the root and downstream FortiGates, the Fabric Overlay Orchestrator configures the following settings in the background:
- IPsec overlay configuration (Hub-and-Spoke ADVPN tunnels)
- BGP configuration
- Policy routing
- SD-WAN zone
- SD-WAN performance SLAs
The FortiGate’s role in the SD-WAN overlay is automatically determined by its role in the Security Fabric. The Fabric Root will have the role of the Hub and any first-level children (downstream devices) from the Fabric Root will have the role of a Spoke.