Fortinet black logo

NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Home FortiSASE NGFW to SPA Hub Conversion Using Fabric Overlay Orchestrator

Configuring a downstream FortiGate using the Fabric Overlay Orchestrator

Configuring a downstream FortiGate using the Fabric Overlay Orchestrator

These steps describe how to run the Fabric Overlay Orchestrator on a downstream FortiGate.

To configure a downstream FortiGate using the Fabric Overlay Orchestrator:
  1. Go to VPN > Fabric Overlay Orchestrator.
  2. Set Status to Enabled. The Role is automatically selected depending on the FortiGate device’s role in the Fortinet Security Fabric. When configuring a downstream FortiGate, confirm the role is spoke. Only downstream FortiGates that are first-level children of the root may become spokes. Click Next.
  3. For Local Network, configure routing and local subnets to share with the VPN network, namely, shared interfaces settings:

    Option

    Description

    Shared interfaces

    Select the interface of the local network to share with the VPN network

    Click Next. Observe the Configuring spoke Fabric VPN from root FortiGate notification message.

  4. For the first Summary step, review the configured settings and click Apply.
  5. For the second Summary step, observe that the following settings have been created as follows:

    Option

    Description

    SD-WAN Zone

    Status > SD-WAN zone. In the example, this is fabric_vpn_sdwan.

    VPN Tunnels

    Overlay > Incoming interface > Phase 1 Interface. In the example, this is fabric_vpn1 .

    BGP

    Local Network > BGP AS, Local Network > Shared subnets. In the example, the BGP AS is 65400 and subnets are 10.1.10.0/24 and 10.20.1.2/32.

    Loopback Interface

    Local Network > Loopback interface. In the example, it is F_Spoke_loop.

    Firewall Policies

    Local Network > Shared subnets > Policies. In the example, they are fabric_vpn_1_in, fabric_vpn_0_out, fabric_vpn_0_in.

FortiOS generates the loopback IP addresses for the branches based on the index number of the trusted device in the hub Security Fabric system configuration. For example, if Branch1 is the first FortiGate and Branch2 is the second FortiGate authorized in the hub FortiGate, FortiOS generates the loopback addresses as follows:

FortiGate

Loopback IP address

Serial number

Branch1
  • 10.20.1.2
    		•

    FGVM02TM22009724

    Branch2
  • 10.20.1.3
    		•

    FGVM02TM22009526

    In this example, the Security Fabric trusted devices list in the Fabric-HUB FortiGate is as follows:

    config system csf
    set status enable
    set group-name "fabric"
    config trusted-list
        edit "FGVM02TM22009724" 
            set serial "FGVM02TM22009724"
            set index 1
        next
        edit "FGVM02TM22009526"
            set serial "FGVM02TM22009526"
            set index 2
        next
    end
end
    Previous
    Next

    Configuring a downstream FortiGate using the Fabric Overlay Orchestrator

    These steps describe how to run the Fabric Overlay Orchestrator on a downstream FortiGate.

    To configure a downstream FortiGate using the Fabric Overlay Orchestrator:
    1. Go to VPN > Fabric Overlay Orchestrator.
    2. Set Status to Enabled. The Role is automatically selected depending on the FortiGate device’s role in the Fortinet Security Fabric. When configuring a downstream FortiGate, confirm the role is spoke. Only downstream FortiGates that are first-level children of the root may become spokes. Click Next.
    3. For Local Network, configure routing and local subnets to share with the VPN network, namely, shared interfaces settings:

      Option

      Description

      Shared interfaces

      Select the interface of the local network to share with the VPN network

      Click Next. Observe the Configuring spoke Fabric VPN from root FortiGate notification message.

    4. For the first Summary step, review the configured settings and click Apply.
    5. For the second Summary step, observe that the following settings have been created as follows:

      Option

      Description

      SD-WAN Zone

      Status > SD-WAN zone. In the example, this is fabric_vpn_sdwan.

      VPN Tunnels

      Overlay > Incoming interface > Phase 1 Interface. In the example, this is fabric_vpn1 .

      BGP

      Local Network > BGP AS, Local Network > Shared subnets. In the example, the BGP AS is 65400 and subnets are 10.1.10.0/24 and 10.20.1.2/32.

      Loopback Interface

      Local Network > Loopback interface. In the example, it is F_Spoke_loop.

      Firewall Policies

      Local Network > Shared subnets > Policies. In the example, they are fabric_vpn_1_in, fabric_vpn_0_out, fabric_vpn_0_in.

    FortiOS generates the loopback IP addresses for the branches based on the index number of the trusted device in the hub Security Fabric system configuration. For example, if Branch1 is the first FortiGate and Branch2 is the second FortiGate authorized in the hub FortiGate, FortiOS generates the loopback addresses as follows:

    FortiGate

    Loopback IP address

    Serial number

    Branch1
  • 10.20.1.2
    		•

    FGVM02TM22009724

    Branch2
  • 10.20.1.3
    		•

    FGVM02TM22009526

    In this example, the Security Fabric trusted devices list in the Fabric-HUB FortiGate is as follows:

    config system csf
    set status enable
    set group-name "fabric"
    config trusted-list
        edit "FGVM02TM22009724" 
            set serial "FGVM02TM22009724"
            set index 1
        next
        edit "FGVM02TM22009526"
            set serial "FGVM02TM22009526"
            set index 2
        next
    end
end
    Previous
    Next