Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
mdibaee
Staff
Staff

Created on ‎04-14-2024 09:46 PM

Article Id 309561

Technical Tip: How to find each SASE PoP tunnel IP address

Description

 

This article describes that when deploying Secure Private Access (SPA) with FortiSASE, each SASE PoP participates in an ADVPN setup and functions as a spoke to the Hub FortiGate configured. Each Service Connection configures an ADVPN setup to a FortiGate, which serves as the hub for each SASE PoP.

Thus, each Point of Presence (PoP) establishes an IPsec tunnel to the Hub, configured with a specific tunnel IP address. This tunnel IP address serves multiple purposes, such as establishing BGP neighborship and serving as the source IP for traffic NAT-ed for Secure Private Access (SPA) traffic.

mdibaee_0-1712966143475.png

Scope

 

FortiGate ADVPN, FortiSASE.

 

Solution

 

Identifying each FortiSASE PoP's spoke tunnel ID for troubleshooting BGP or Secure Private Access inbound traffic issues is possible.

Locate the FortiSASE PoP neighbor ID from the SASE dashboard for a Service Connection. Navigate to the FortiSASE dashboard -> Network -> Secure Private Access and select Health

 

mdibaee_1-1712966214526.png

 

Each service connection represents a Hub-and-Spoke ADVPN connection to an external FortiGate acting as a HUB. Therefore, each FortiSASE PoP will connect separately to the Hub FortiGate using IPsec and receive a tunnel IP based on the configuration of the Hub FortiGate.

In this case, Service Connection number 2 is under investigation.

After selecting 'health,' it is possible to see the health status of each service connection for each region, representing each PoP.

By scrolling to the right under the chosen service connection, the BGP neighbor ID is associated with each region (PoP).

 
 
 

mdibaee_5-1712966355958.png

 

In this case, the Vancouver PoP BGP neighbor ID is 192.168.169.1 and the Toronto PoP BGP neighbor ID is 192.168.169.2. From this point on, the BGP neighbor ID can be mapped to the BGP peer IP on the Hub FortiGate. This BGP peer IP corresponds to the same IP configured on the PoP IPsec tunnel connected to the Hub FortiGate.

 

mdibaee_6-1712966395030.jpeg

 

The BGP remote router ID 192.168.169.1 (Vancouver PoP) is associated with the BGP neighbor IP 192.168.168.1. This means that the IPsec tunnel IP for the Vancouver PoP connected to this FortiGate is 192.168.168.1.
Likewise, the BGP remote router ID 192.168.169.2 (Toronto PoP) is associated with the BGP neighbor IP 192.168.168.2. This means that the IPsec tunnel IP for the Toronto PoP connected to this FortiGate is 192.168.168.2.

 

Related  documents:

Configuring SPA to the FortiGate SPA hub in FortiSASE Secure Private Access

Viewing health and VPN tunnel status

571
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.