Configuring a downstream FortiGate using the Fabric Overlay Orchestrator
These steps describe how to run the Fabric Overlay Orchestrator on a downstream FortiGate.
To configure a downstream FortiGate using the Fabric Overlay Orchestrator:
- Go to VPN > Fabric Overlay Orchestrator.
- Set Status to Enabled. The Role is automatically selected depending on the FortiGate device’s role in the Fortinet Security Fabric. When configuring a downstream FortiGate, confirm the role is spoke. Only downstream FortiGates that are first-level children of the root may become spokes. Click Next.
- For Local Network, configure routing and local subnets to share with the VPN network, namely, shared interfaces settings:
Option
Description
Shared interfaces
Select the interface of the local network to share with the VPN network
Click Next. Observe the Configuring spoke Fabric VPN from root FortiGate notification message.
- For the first Summary step, review the configured settings and click Apply.
- For the second Summary step, observe that the following settings have been created as follows:
Option
Description
SD-WAN Zone
Status > SD-WAN zone. In the example, this is fabric_vpn_sdwan.
VPN Tunnels
Overlay > Incoming interface > Phase 1 Interface. In the example, this is fabric_vpn1 .
BGP
Local Network > BGP AS, Local Network > Shared subnets. In the example, the BGP AS is 65400 and subnets are 10.1.10.0/24 and 10.20.1.2/32.
Loopback Interface
Local Network > Loopback interface. In the example, it is F_Spoke_loop.
Firewall Policies
Local Network > Shared subnets > Policies. In the example, they are fabric_vpn_1_in, fabric_vpn_0_out, fabric_vpn_0_in.
FortiOS generates the loopback IP addresses for the branches based on the index number of the trusted device in the hub Security Fabric system configuration. For example, if Branch1 is the first FortiGate and Branch2 is the second FortiGate authorized in the hub FortiGate, FortiOS generates the loopback addresses as follows:
FortiGate |
Loopback IP address |
Serial number |
---|---|---|
Branch1 |
|
FGVM02TM22009724 |
Branch2 |
|
FGVM02TM22009526 |
In this example, the Security Fabric trusted devices list in the Fabric-HUB FortiGate is as follows:
config system csf set status enable set group-name "fabric" config trusted-list edit "FGVM02TM22009724" set serial "FGVM02TM22009724" set index 1 next edit "FGVM02TM22009526" set serial "FGVM02TM22009526" set index 2 next end end