Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff

Created on ‎01-10-2024 11:56 PM

Article Id 293562

Technical Tip: Secure Private Access via SD-WAN Connector: FortiSASE

Description

 

This article defines how to configure SPA on FortiSase.

 

Scope

 

FortiSASE.

 

Solution

 

To set up the SD-WAN connector on FortiSASE, start by configuring the FortiGate (FGT) in Data Center DC1 as the IPsec server (HUB-1) with BGP enabled. Subsequently, configure the FortiSASE as the dial-up client (SPOKE) to initiate the establishment of the IPsec tunnel between FortiSASE and FGT-DC1.

 

IPSEC, BGP, and security policy have been configured in the HUB FGT.

 

A few important points on the HUB configuration:

 

  • ADVPN is configured in sender mode.
  • mode-cfg is enabled.
  • Each Hub has a unique network-id.

 

FortiSASE SD-WAN connector Configuration:

Access the FortiSASE console and go to the Network -> Secure Private Access section, to set up the connection to the on-prem FortiGate (FGT) devices acting as SDWAN HUBs. Begin by selecting the 'Network Configuration' tab to define the common parameters, as illustrated below:

 

Picture1.png

 

BGP Router ID Subnet: Use an available/unused subnet to assign IP addresses designated for BGP Router IDs on the FortiSASE security Points of Presence (PoPs). Ensure that the subnet size is a minimum of /28.

If there are multiple Hubs the health check IP remains the same for all the Hubs.

 

Save the Network Configuration changes by selecting the 'Save' button, and then navigate to the 'Service Connections' tab to initiate the configuration for the first Hub. Within the Service Connections tab, select the 'Create' button located in the left-upper corner. This action will lead to a new page, as depicted below, where it is possible to configure the Hub.

 

Picture2.png

 

Upon successful implementation of the correct configuration, observe the status indicators for Health Check and VPN to confirm their operational status, both of which should be marked as 'up'.

 

Picture3.png

 

 

If Health is selected:

 

Picture4.png

 

Go to SPA -> Service Connections -> Health and select the POP and on the top right, View Learned BGP Routes will be visible.

 

Picture5.png

 

 

Security Policies for Private Access:

Go to Configuration -> Policies, select Private Access, create new one, and create the respective required policy.

 

Picture6.png

441
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.