FortiSASE Integration with Existing SD-WAN Hub Deployment

The following snippets summarize the FortiSASE Secure Private Access (SPA) with an existing FortiGate SD-WAN hub deployment, which is also known as the FortiSASE integration with existing SD-WAN hub deployment. To view the complete guide, go to SPA with a FortiGate SD-WAN Deployment Guide

Product Prerequisites

For a list of product prerequisites, see SPA using a FortiGate SD-WAN hub.

Other SPA Hub Use Cases

For the FortiGate next generation firewall (NGFW) SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub. Go to the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide (FortiOS 7.0.7+) instead.

For the FortiGate NGFW SPA use case running FortiOS 7.2.4 and above, you can use the Fabric Overlay Orchestrator feature to convert the NGFW to a standalone IPsec VPN hub. Go to the 4-D FortiGate NGFW to FortiSASE SPA Hub Conversion using Fabric Overlay Orchestrator (FortiOS 7.2.4+, 7.4.0+) instead.

FortiSASE Integration with Existing SD-WAN Hub Deployment

Scenarios involving a FortiGate next generation firewall (NGFW) converted to a FortiSASE secure private access (SPA) hub or involving a FortiGate SD-WAN hub are use cases that allow broader and seamless access to both privately hosted TCP- and UDP-based applications.

For the FortiGate SD-WAN SPA use case, you must configure a new FortiGate SD-WAN deployment or have an existing FortiGate SD-WAN deployment already configured. You then configure FortiSASE to communicate with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between PoPs and the networks behind the organization’s FortiGate SD-WAN hub-and-spoke network.

A typical topology for deploying this example design is as follows:

FortiSASE PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration, which allows spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the hub.

Deployment Plan

This outlines the major steps to deploy this solution. Go to Deployment procedures for detailed configuration steps:

1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
2. Ensure the FortiGate SD-WAN deployment has the proper configuration:
   1. Configure a new FortiGate SD-WAN deployment using FortiManager.
   2. Review and modify the configuration settings of an existing FortiGate SD-WAN deployment using FortiManager.
3. Using the FortiSASE Secure Private Access page, configure the FortiSASE security points of presence as spokes of the FortiGate SD-WAN Hub using its specific network attributes as parameters.
4. Configure the DNS settings to allow resolving hostnames for external and internal domains.
5. Verify IPsec VPN tunnels on the FortiGate SD-WAN hub(s).
6. Verify BGP routing on the FortiGate SD-WAN hub(s).
7. Test private access connectivity to the FortiGate SD-WAN network from remote users.

For more information, go to SPA with a FortiGate SD-WAN Deployment Guide.