Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mattw
New Contributor III

Created on ‎01-22-2024 09:12 AM

SD-WAN: Setting the Gateway for underlay circuits?

Hi,

 

I have a project to implement SD-WAN for a client so I'm labbing it with FMG on 7.2.4 and FTGs on 7.2.6. I can get everything working but there is an oddity...

 

When configuring the SDWAN overlay template, the third page of the wizard asks for the WAN underlay port 1 and port 2 interfaces, but there is no option to set the gateway?

 

I can edit the SDWAN template (note: not the overlay template but the standard SDWAN template) and add the gateway IP (via a variable) for each WAN underlay circuit and this works fine, but if I then edit and save the overlay template, it removes the gateway configuration from the SDWAN template which could be VERY painful in the future in prod if FMG removes all gateways from all circuits at branch sites!

 

Am I doing something wrong?

 

What do others do to set the gateway IP for the branch underlay circuits?

 

Many thanks!

Matt.

Labels:
308
0 Kudos
4 REPLIES 4
sahmed_FTNT
Staff
Staff

Created on ‎01-22-2024 09:40 AM

Hello , kindly see the below guides for configuration reference:

 

https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-architecture-for-enterprise/801516/underla...

 

Forti Manager template:

https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/865388/sd-wan-overlay-templates

Security all we want
299
0 Kudos
mattw
New Contributor III
In response to sahmed_FTNT

Created on ‎01-22-2024 10:23 AM

Thank you for the links @sahmed_FTNT, they are good.

However, it doesn't necessarily answer the question.

What I need to know is, in a SD-WAN overlay environment, what is the recommendation for configuring DIA SD-WAN for branch sites?

Should you configure the DIA SD-WAN zones, members, gateways and rules manually (not via a template) per site before adding to FMG and installing the overlay template?

Or should you use the SD-WAN template with variables to push a consistent config from FMG to each branch?

Or something else?

Unless I'm being blind, the guides don't say this.

And ultimately, I want to know if what I observed in the original post is a bug or is by design (the fact that when you run through the overlay wizard a second time, it removes any gateway configs you have configured in the referenced SD-WAN template).

Please see attached screenshots.

overlay.png

dia.png

  

293
0 Kudos
vraev
Staff
Staff

Created on ‎01-23-2024 08:10 AM

Hi @mattw ,

 

It removes the Gateway to nulL, or changes to another IP? 

 

V.R.
236
0 Kudos
mattw
New Contributor III
In response to vraev

Created on ‎01-23-2024 08:25 AM

It changes it to 0.0.0.0 (same as setting to null effectively)

It's worth pointing out that I am using the SDWAN template that the SDWAN overlay template  creates when working through the wizard, so it automatically creates zones for WAN1, WAN2, HUB1 and HUB2. I'm adding the SLAs, SDWAN rules (and gateways) to this template.

 

What I mean is, on page 4 of the overlay wizard, you can choose to "Add Overlay Objects to SD-WAN Template" and you can pick an existing SD-WAN template or get it to create a new one. I created a new one. See attached.

overlay new sdwan template.png

228
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.