SD-WAN 7.2 Study Guide PDF

DO NOT REPRINT © FORTINET SD-WAN Study Guide FortiOS 7.2 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home 12/13/2023 DO NOT REPRINT © FORTINET TABLE OF CONTENTS Change Log 4 01 Introduction 5 02 Centralized Management 38 03 Members, Zones, and Performance SLAs 81 04 Routing and Sessions 123 05 Rules 168 06 SD-WAN Overlay Design and Best Practices 230 07 Monitoring and Troubleshooting 294 Solution Slides 324 DO NOT REPRINT © FORTINET Change Log This table includes updates to the Study Guide dated 3/30/2023 to the updated document version dated 12/13/2023. Change Location Various formatting fixes and typos Entire Guide 03 Members, Zones, and "packet" changed to "packet loss" Performances SLAs - slide 17 notes SD-WAN 7.2 Study Guide 4 Introduction DO NOT REPRINT © FORTINET In this lesson, you will be introduced to the SD-WAN concept, use cases, and main components. You will also learn how to use the FortiGate GUI to configure and monitor a basic SD-WAN setup. SD-WAN 7.2 Study Guide 5 Introduction DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. SD-WAN 7.2 Study Guide 6 Introduction DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By understanding an SD-WAN solution and its use cases, you should be able to identify the most common scenarios where SD-WAN can be deployed to distribute traffic across your WAN links effectively and securely. SD-WAN 7.2 Study Guide 7 Introduction DO NOT REPRINT © FORTINET According to Gartner, software-defined WAN (SD-WAN) provides dynamic, policy-based, application path selection across multiple WAN connections and supports service chaining for additional services, such as WAN optimization and firewalls. Fortinet implementation of SD-WAN is called secure SD-WAN because it also provides security by leveraging the built-in security features available in FortiOS. Secure SD-WAN relies on well-known FortiOS features such as IPsec, auto-discovery VPN (ADVPN), link monitoring, advanced routing, internet services database (ISDB), traffic shaping, UTM inspection, and load balancing. The administrator can then combine these features and set rules that define how FortiGate steers traffic across the WAN based on multiple factors, such as the protocol, service, or application identified for the traffic; and the quality of the links. Note that SD-WAN controls egress traffic, not ingress traffic. This means that the return traffic may use a different link from the one SD-WAN chose for egress. One benefit of SD-WAN is effective WAN usage. That is, you can use public (for example, broadband, LTE) and private (for example, MPLS) links to securely steer traffic to different destinations: internet, public cloud, private cloud, and the corporate network. This approach of using different types of links to connect sites to private and public networks is known as hybrid WAN. Using a hybrid WAN reduces costs mainly because administrators usually steer traffic over low-cost fast internet links more than over high-cost slow private links. The result is that private links, such as MPLS links, are often used to steer critical traffic only, or as failover links for high availability. Another benefit of SD-WAN is improved application performance because you can steer traffic through the best link that meets the application requirements. During congestion, you can leverage traffic shaping to prioritize sensitive and critical applications over less important ones. Also, the support of ADVPN shortcuts enables SD-WAN to use direct IPsec tunnels between sites to steer traffic, resulting in lower latency for traffic between the sites (spokes), and less load on the central locations (hubs). SD-WAN 7.2 Study Guide 8 Introduction DO NOT REPRINT © FORTINET This slide shows the architecture components of the Fortinet Secure SD-WAN solution. The core component of the architecture is FortiGate. When you use FortiGate to deploy SD-WAN, you leverage the existing connectivity, management, and next-generation firewall (NGFW) features supported by FortiOS. This means that you can consolidate SD-WAN and security in a single device, thus the term Secure SD-WAN. Because FortiGate is one of the core components in the Fortinet Security Fabric, then by extension, your SD- WAN deployment can also benefit from many of the features supported by other products in the fabric. For example, you could use FortiManager to perform zero touch provisioning for branches that require a SD-WAN setup. Similarly, you could use FortiSwitch to connect your WAN edge and LAN edge devices of your SD- WAN branch. One key benefit of using FortiOS and FortiGate for your SD-WAN solution, is the ability to perform application steering in SD-WAN. FortiGate inspects traffic using its IPS engine and the application signatures provided by FortiGuard to identify thousands of applications. The result is that you can configure FortiGate to steer traffic based on the application detected, rather than ports, protocols, and IP addresses. The fact that FortiGate can identify the application regardless of the Layer 3 and Layer 4 information on the packet, enables you to significantly reduce administrative overhead and scale easier when deploying new applications and sites. SD-WAN 7.2 Study Guide 9 Introduction DO NOT REPRINT © FORTINET Direct internet access (DIA), also known as local breakout, is arguably the most common use case for SD- WAN. A site has multiple internet links (also known as underlay links), and the administrator wants FortiGate to steer internet traffic across the links. The links are connected to FortiGate using different types of physical interfaces: physical port, VLAN, link aggregation (LAG), USB modem, or through FortiExtender. Usually, sensitive traffic is expedited and steered over the best performing links, while non-critical traffic is distributed across one or more links using a best effort approach. Costly internet links are commonly used as backup links, or to steer critical traffic only. Because the internet traffic leaves the organization boundaries directly on the local site, administrators usually enforce strict security policies on the internet traffic. For routing, a typical configuration makes use of static default routes. However, in some cases, BGP is used between the ISP and FortiGate, especially if the site must advertise a public IP prefix. Administrators can also manually define the upstream and downstream speeds of each link to prevent saturation during traffic distribution. Alternatively, they can configure FortiGate to use the SD-WAN bandwidth monitoring service to run speed tests against FortiGuard, and then automatically adjust the upstream and downstream speeds of the links based on the test results. SD-WAN 7.2 Study Guide 10 Introduction DO NOT REPRINT © FORTINET This slide shows an example of DIA. FortiGate has two internet links. One link is connected to wan1 and the other to wan2. FortiGate uses both links to steer traffic sourced from the LAN and destined to cloud applications and websites on the internet. SD-WAN 7.2 Study Guide 11 Introduction DO NOT REPRINT © FORTINET You can use SD-WAN to steer corporate site-to-site traffic. Usually, companies follow a hub-and-spoke topology, and use VPN tunnels—typically dial-up IPsec tunnels—to transport the traffic between the sites. The tunnels (also known as overlay links) are established over internet and MPLS links (also known as underlay links). Tunnels can also carry internet traffic from a spoke to a hub, where it then breaks out to the internet. This is also known as remote internet access (RIA), and you will learn more about it in this lesson. SD-WAN can monitor the link quality of the tunnels and select the best performing link for sensitive and critical traffic. If using ADVPN, SD-WAN can offload the traffic from a parent tunnel to a shortcut, thus reducing latency for spoke-to-spoke traffic. SD-WAN can also monitor the health of the shortcut tunnels to ensure they meet the configured service-level agreement (SLA). If using ADVPN, you should apply all necessary security inspection on the local site because spoke-to-spoke traffic will eventually flow directly through the shortcut and will therefore bypass any inspection enabled on the hub. If not using ADVPN, you may consider applying a less restrictive policy on the spoke provided you configure the hub to perform the additional required inspection. For routing, a dynamic routing protocol, such as BGP, is often used to exchange routing information through the tunnels and scale easier when adding new sites. If using ADVPN, internal BGP (IBGP) is recommended to preserve next hop information. Similar to DIA, the hub FortiGate can run speed tests against the spokes to determine the upstream speed of tunnels. The hub FortiGate can then apply the speed test result as the upstream speed on the tunnel for traffic shaping purposes. SD-WAN 7.2 Study Guide 12 Introduction DO NOT REPRINT © FORTINET This slide shows an example of a deployment that uses SD-WAN to steer site-to-site traffic. Each site has two overlays configured, one using the internet underlay and the other the MPLS underlay. SD- WAN steers spoke-to-spoke and spoke-to-hub traffic. Because ADVPN is configured on the network, shortcuts are automatically established between spokes when spoke-to-spoke traffic is sent across the network. SD-WAN can then automatically offload the spoke-to-spoke traffic from parent tunnels to shortcuts, thus improving performance. SD-WAN also monitors the health of shortcuts and dynamically makes steering decisions based on their health and availability. SD-WAN 7.2 Study Guide 13 Introduction DO NOT REPRINT © FORTINET RIA, also known as remote breakout, is another use case for SD-WAN. Internet traffic from the spokes is backhauled through the WAN using overlay links. When the traffic arrives the hub, it breaks out to the internet. The most common reason to use RIA is to centralize security inspection and internet access on the hub. For example, you can have a central high-end FortiGate device that inspects all the internet traffic that leaves the organization and that conforms with the company policy, instead of having each low-end spoke FortiGate device to inspect traffic, thus reducing costs and administrative overhead. Another reason to use RIA is for DIA backup. For example, you could configure FortiGate to steer internet traffic through an MPLS link if the performance measured for internet applications on internet links is worse than on MPLS links, or simply if the internet links become unavailable. SD-WAN 7.2 Study Guide 14 Introduction DO NOT REPRINT © FORTINET This slide shows an example of RIA. Instead of using the local internet underlay to forward internet traffic, the FortiGate device on site 1 steers internet traffic to the hub through the overlay built over MPLS. Once the traffic reaches the hub, the traffic is subject to a thorough security inspection before it breaks out to the internet. SD-WAN 7.2 Study Guide 15 Introduction DO NOT REPRINT © FORTINET To improve performance of cloud applications while keeping network traffic secure, you can configure overlays against the closest point of presence (PoP) offered by the cloud provider in the area, thus reducing latency. You can configure FortiGate to connect to the cloud provider’s built-in VPN gateway. Alternatively, you can deploy a FortiGate VM in the cloud and establish the overlays against it. Choosing to deploy a FortiGate VM in the cloud enables you to use FortiOS security features on traffic entering or leaving the cloud, as well as to use SD-WAN to steer sessions originated from the cloud. For performing reasons, a cloud on-ramp connection is usually established directly from the spoke because a direct connection often results in the lowest latency. However, in some cases, traffic could be backhauled through the WAN using overlay links because of company policy, or because cloud tunnels are only available on the hub. Another reason to backhaul cloud traffic through the WAN can be performance. For example, a company may use premium WAN links between the spokes and the hub, and between the hub and the cloud. The performance of the premium links is so high that backhauling the traffic through the WAN would result in a better user experience than accessing the local PoP directly from the spoke. SD-WAN 7.2 Study Guide 16 Introduction DO NOT REPRINT © FORTINET This slide shows an example of cloud on-ramp. The FortiGate device on site 1 has a direct tunnel against a FortiGate VM running on the cloud. This tunnel is used to steer traffic of cloud applications for performance and security reasons. Also, unlike site 1, the FortiGate device on site 2 uses an overlay to the hub to send traffic of cloud applications. The hub then routes the traffic through its local cloud tunnel. SD-WAN 7.2 Study Guide 17 Introduction DO NOT REPRINT © FORTINET For larger deployments, you can extend the SD-WAN base design to include a second SD-WAN gateway. This second gateway can be in a different location to provide geo-redundancy. In such topologies, branch SD-WAN devices connect to two (or more) SD-WAN gateways. FortiGate steers traffic to one gateway or the other, according to the status, link health, and SLA of the devices. For easier management and rule definition, the administrator will group overlay links per devices and per location. In addition to geo-redundancy, intra-site redundancy with HA cluster—FGCP or FGSP— remains possible. You can combine geo-redundant topology with use of ADVPN. In such scenarios, all sites must preserve original BGP next-hop values. Site prefixes must remain unchanged, including their original BGP next-hop value. A common way to achieve this is with the route reflector function. Alternatively, you can use Phase2 selectors for ADVPN route exchange. You will learn more about both options in another lesson. SD-WAN 7.2 Study Guide 18 Introduction DO NOT REPRINT © FORTINET This slide shows an example of a deployment that uses SD-WAN to steer traffic with dual hub geo- redundancy. Each site has four overlays configured, two to the primary site—one on each WAN underlay link—and two to the secondary site. SD-WAN steers spoke-to-hub traffic to the primary hub and continues to monitor the health of all overlay links. According to the rules definitions, SD-WAN triggers a fall back to the secondary hub, based on link quality or site availability. SD-WAN 7.2 Study Guide 19 Introduction DO NOT REPRINT © FORTINET For increased scalability, as your solution expands geographically, and the number of sites grows, you might decide to segment the traffic and management of devices into multiple regions. For each region, you can define either a single-hub or dual-hub SD-WAN topology. In each region, branch devices connect to the regional SD-WAN gateway. Then, regional gateways are interconnected between regions in a full-mesh design. When a user from one region needs to connect to a user or an application in another region, traffic will go through regional gateways. You should consider a design like this when traffic exchanged within each region is significantly higher than traffic through regions. Usually, regions correspond to geographical area but, according to expected traffic flows, you might want to consider a different segmentation. It could be shops and factory or any other logical grouping applicable to your business. SD-WAN 7.2 Study Guide 20 Introduction DO NOT REPRINT © FORTINET This slide shows an example of a multi-region topology. Each region has its own SD-WAN topology, which can be single or dual hub. ADVPN shortcuts can be established between devices in each region, but inter-region traffic must always flow through regional hubs. SD-WAN 7.2 Study Guide 21 Introduction DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in SD-WAN fundamentals, you should be able to understand the basics of SD- WAN, including how to configure a basic DIA setup. SD-WAN 7.2 Study Guide 22 Introduction DO NOT REPRINT © FORTINET The first step to configure SD-WAN is to define the members and assign them to zones. This configuration is done in the SD-WAN Zones page. Members (also known as links) are existing physical or logical FortiOS interfaces that you select to be part of SD-WAN. The interfaces are then used to steer traffic based on the SD-WAN rules configured. When you configure a member in SD-WAN, you must assign it to a zone, and optionally set a gateway. Zones are logical groupings of interfaces. The interfaces in a zone have similar configuration requirements. Like FortiGate interface zones, the goal with SD-WAN zones is to reference them in the configuration instead of individual members to optimize the configuration by avoiding duplicate settings, and to achieve network segmentation. When set, the Gateway setting is used as the next hop to forward traffic through the member. One zone is created by default: virtual-wan-link. The zone, virtual-wan-link, is the default zone where members are placed when you create them. The default zone is also used when you upgrade a FortiGate device running a version with no support for zones to a version that supports zones. During the upgrade, FortiGate places all existing members to the virtual-wan-link zone. The example on this slide shows the default SD-WAN zone—virtual-wan-link—and one user-defined zone: underlay. The underlay zone contains port1 and port2 as members, which are used for a basic DIA setup. Note that, although the zone is named underlay because it contains such type of members, you can assign any name you like. SD-WAN 7.2 Study Guide 23 Introduction DO NOT REPRINT © FORTINET After you define your SD-WAN members and assign them to zones, you will probably want to monitor the health of your SD-WAN members on the Performance SLAs page. FortiGate performance SLAs monitor the state of each member—whether it is alive or dead—and measures the member packet loss, latency, and jitter. SD-WAN then uses the member health information to make traffic steering decisions based on the configured SD-WAN rules. For example, you can instruct FortiGate to steer internet traffic to a member, provided the member is alive and its latency doesn’t exceed a given threshold. Performance SLAs will also detect situations where the interface is physically up, but FortiGate is unable to reach the desired destination and flags the corresponding link as dead. When you configure a performance SLA, there are a several entries created by default that you can choose from. The default entries measure the health of members against well-known internet services, such as FortiGuard, Google Search, and Amazon AWS. Alternatively, you can create your own entry and choose whether you want to monitor the health actively or passively. In active monitoring, the health of the member is checked by periodically—by default every 500ms— sending probes from the member to one or two servers that act as a beacon. In passive monitoring, the health of a member is determined based on the traffic passing through the member. The example on this slide shows a new entry named Level3_DNS. The entry contains the well-known 4.2.2.1 and 4.2.2.2 DNS servers, both of which are used to monitor the health of port1 and port2. The results show that the members are alive (green arrow), report no packet loss, and have average values for delay and jitter over the internet. SD-WAN 7.2 Study Guide 24 Introduction DO NOT REPRINT © FORTINET After you configure the zones, members, and performance SLAs, it’s time to define the traffic steering rules for SD-WAN. This is done on the SD-WAN Rules page. When you configure an SD-WAN rule, you first define the application or traffic pattern to match. After that, you indicate the preferred members, or zones, to steer the matching traffic to, and in some cases, the performance metrics that the member must meet to be eligible to receive and forward the traffic. SD-WAN rules are evaluated in the same way as firewall policies: from top to bottom, using the first match. However, unlike firewall policies, they are used to steer traffic, not to allow traffic. When you use SD-WAN rules, you must configure corresponding firewall policies to allow the SD-WAN traffic. There is an implicit SD-WAN rule created by default. If none of the user-defined SD-WAN rules are matched, then the implicit rule is used. By default, the implicit rule load balances the traffic across all available SD-WAN members. The example on this slide shows two user-defined rules named Critical-DIA and Non-Critical-DIA, which are used to steer traffic in this basic DIA setup. The Critical-DIA steers GoToMeeting, Microsoft.Office.365.Portal, and Salesforce traffic to the member with the lowest latency, between port1 and port2. The example shows that port1 is selected because it is the member with the check mark beside it. The Non-Critical-DIA rule steers Facebook and Twitter traffic to port2. The implicit rule, located at the bottom of the list, is used if none of the two user-defined rules are matched. You can see that it applies to all IPv4 and IPv6 source and destination addresses. The icons beside the object names—4 and 6—distinguish IPv4 objects from IPv6 objects. SD-WAN 7.2 Study Guide 25 Introduction DO NOT REPRINT © FORTINET For well-known applications, you can rely on FortiGuard services and define SD-WAN rules to steer traffic per application or application category. For instance, you can decide to direct leisure applications like games or Facebook to low-cost links and reserve high-quality, costly links for business traffic. Visibility of application detection criteria is, by default, hidden on the FortiGate GUI. You must enable feature visibility on the CLI using the global command set gui-app-detection-sdwan enable. Note that if GUI visibility is disabled, configuration for application criteria remains active and configuration is still visible on the CLI. In addition to applications and application groups, you can also select application categories as SD-WAN rule destination criteria for IPv4 rules. To determine which applications flowing through your network math the defined applications, use the CLI command diagnose sys sdwan internet-service-app-ctrl-category-list. SD-WAN 7.2 Study Guide 26 Introduction DO NOT REPRINT © FORTINET SD-WAN rules define the traffic steering policies in SD-WAN. However, traffic won’t be forwarded to an SD- WAN member unless there is a valid route that matches the destination address of the traffic through the SD- WAN member. You can use static and dynamic routing in SD-WAN. This slide shows an example of a static default route configured for the underlay zone, which is used to route traffic in our basic DIA setup. When you configure static routes for SD-WAN, you usually reference an SD-WAN zone to simplify the configuration. However, you can also reference individual members instead, so you can have a more granular control over traffic. When you reference a zone in a static route, FortiGate installs individual routes for each member in the zone. The individual routes are then displayed in the routing table as equal cost multi-path (ECMP) routes. Note that when you configure a static route that references a zone, you don’t have to specify a gateway address because FortiGate retrieves it from the member configuration. SD-WAN 7.2 Study Guide 27 Introduction DO NOT REPRINT © FORTINET In addition to having a valid route, you must also have a firewall policy that allows the traffic steered by SD- WAN. You configure SD-WAN firewall policies in the same way as regular firewall policies, except that, when selecting an outgoing or incoming interface, you must reference an SD-WAN zone. When you reference a zone, you simplify the configuration by avoiding duplicate firewall policies. You may need to reference a member in your firewall policy because you want to apply a different action on the traffic flowing through that member, such as applying different security profiles and NAT settings. Because you can’t reference members in a firewall policy, a workaround is to place a single member in a separate zone, and then reference that zone in the firewall policy. The example on this slide shows a firewall policy named LAN-to-underlay that references the underlay zone, which contains port1 and port2 as members. As a result, DIA traffic steered over port1 or port2 will be allowed by FortiGate provided it matches the firewall policy criteria, and it passes the security inspection configured on the policy. SD-WAN 7.2 Study Guide 28 Introduction DO NOT REPRINT © FORTINET This slide shows the equivalent CLI configuration for the basic SD-WAN DIA setup described so far. The SD- WAN specific configuration is found under config system sdwan. Inside config system sdwan, there are separate configuration sections for each SD-WAN component. The example shown on this slide breaks down the CLI configuration into two. The first portion displays the zone, member, and performance SLA configuration. The second, the SD-WAN rules configuration. Note that FortiOS uses the terms health-check and service to refer to the performance SLA and rule configuration on the CLI, respectively. You will explore in more details the CLI configuration in other lessons. SD-WAN 7.2 Study Guide 29 Introduction DO NOT REPRINT © FORTINET Before adding an interface as SD-WAN member, you must first remove any configuration references to the interface. This is fine if your configuration is simple, but if your configuration has a considerable number of references, then the reference removal and adding process can be very time consuming and disruptive to the network. An alternative is to use the Integrate Interface feature available on the Interfaces page on the FortiGate GUI. When you use the integrate interface feature, you can instruct FortiGate to migrate an interface to SD- WAN. The result is that FortiGate automatically tries to replace the individual interface with the selected SD- WAN zone on every configuration object that references the interface. Note that If the change does not apply to a configuration node or if FortiGate can’t replace the reference, then FortiGate leaves the configuration node as is. SD-WAN 7.2 Study Guide 30 Introduction DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By understanding basic monitoring of SD-WAN, you should be able to identify the different tools available on the FortiGate GUI to check SD-WAN traffic distribution, health, and events. SD-WAN 7.2 Study Guide 31 Introduction DO NOT REPRINT © FORTINET You can browse to the SD-WAN Zones page to monitor the traffic distribution over the SD-WAN members. The page contains graphs that display traffic distribution based on bandwidth, volume, or sessions. Note that bandwidth refers to the data rate, while volume refers to the amount of data. You can also hover over a member or the graph to get a specific amount of bandwidth, volume, or sessions. The example on this slide shows the corresponding traffic distribution graphs of the basic DIA setup. SD-WAN 7.2 Study Guide 32 Introduction DO NOT REPRINT © FORTINET You can browse to the Performance SLAs page to monitor the health of your members. You first select the performance SLA you want to check (Level3_DNS in the example). The graphs on the page will then display the packet loss, latency, and jitter of each member using the selected performance SLA. Note that the information shown in the graphs is limited to the last 10 minutes. You can also hover over the graph to get a specific amount of packet loss, latency, or jitter. The example on this slide shows the corresponding health graphs for the two members used in the basic DIA setup. SD-WAN 7.2 Study Guide 33 Introduction DO NOT REPRINT © FORTINET The SD-WAN widget offers a consolidated view of both the health of a member and its usage. The example on this slide shows two SD-WAN members configured: port1 and port2. However, port1 is currently down, which is why there is only traffic going through port2. The graphs on the page summarize the health of the alive members—only port2 in this case—and indicate how many of them fall within some predefined ranges of packet loss, latency, and jitter. The example shows that packet loss and jitter on port2 is within the low range, and its latency is within the medium range. You can click a range to display the list of members that fall within that range. SD-WAN 7.2 Study Guide 34 Introduction DO NOT REPRINT © FORTINET The Forward Traffic logs page is useful to identify how sessions are distributed in SD-WAN and the reason. Make sure to enable the SD-WAN Rule Name and SD-WAN Quality columns, which are disabled by default. The former indicates the matched SD-WAN rule for a session, and the latter the member the session was steered to and the reason. The table on this slide shows multiple sessions. The first session in the table was identified as a Salesforce application, matched the Critical-DIA rule, and was sent to port1. The reason that port1 was selected was because it had the lowest latency. The second session in the table, which was identified as a Facebook application, matched the Non-Critical- DIA rule, and was sent to port2. The Non-Critical-DIA rule instructs FortiGate to steer matching traffic to port2 only, provided the port is alive. This behavior matches the reason described in the SD-WAN Quality column for that session. SD-WAN 7.2 Study Guide 35 Introduction DO NOT REPRINT © FORTINET The SD-WAN Events sub-section on the Events page displays logs that report the state changes of the SD- WAN members. In most cases, you want to click a log to fully understand the event. For example, the third log in the table indicates that the state of port1 changed from dead to alive. Although the details of the second and first logs are not shown, the logs report that port1 is ready to forward traffic, and that the member preference in the rule that uses port1 (Critical-DIA) was updated to include port1. SD-WAN 7.2 Study Guide 36 Introduction DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned the most common use cases for SD-WAN, its main components, and how to configure and monitor a basic SD-WAN DIA setup. SD-WAN 7.2 Study Guide 37 Centralized Management DO NOT REPRINT © FORTINET In this lesson, you will learn how FortiManager can help to deploy and maintain SD-WAN networks. SD-WAN 7.2 Study Guide 38 Centralized Management DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. SD-WAN 7.2 Study Guide 39 Centralized Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By understanding how to deploy SD-WAN using FortiManager, you should be able to leverage the FortiManager centralized features to reduce operation costs when deploying and maintaining SD-WAN across a large network. SD-WAN 7.2 Study Guide 40 Centralized Management DO NOT REPRINT © FORTINET FortiManager is a key component for deploying SD-WAN across a large network. Centralized (single-pane-of- glass) management through FortiManager can help you to more easily manage SD-WAN deployment across many devices and reduce the cost of operation. How can FortiManager help you with your SD-WAN deployment? Provision SD-WAN templates, CLI templates, and firewall policies across multiple devices with the same configuration requirements. Enable you to configure SD-WAN on a per-device basis. Monitor SD-WAN status. Act as a central repository for configuration revision control and security audits. Deploy and monitor complex IPsec VPNs topologies (IPsec overlays). Perform zero-touch provisioning for new SD-WAN sites. Use scripts and JSON APIs to automate device provisioning and perform policy changes for SD-WAN. SD-WAN 7.2 Study Guide 41 Centralized Management DO NOT REPRINT © FORTINET To organize and efficiently manage a large-scale network, FortiManager has multiple management layers. The global ADOM layer has two key pieces: the global object database and header and footer policy packages. Header and footer policy packages envelop the policies for each ADOM. Policy packages are often used in a carrier environment, where the carrier allows customer traffic to pass through their network but doesn’t allow the customer to have access to their network infrastructure. The ADOM layer is where policy packages are created, managed, and installed on managed devices or device groups. You can create multiple policy packages here. The ADOM layer includes one common object database for each ADOM. The common object database contains information such as addresses, services, and security profiles. ADOMs enable you to create groupings of devices for administrators to monitor and manage. The purpose of ADOMs is to divide administration of devices by ADOM and to control (restrict) administrator access. The Device Manager layer records information on devices that are centrally managed by the FortiManager device, such as the name of the device, type of device, model, IP address, current firmware installed, revision history, and real-time status. SD-WAN 7.2 Study Guide 42 Centralized Management DO NOT REPRINT © FORTINET The Device Manager pane provides device and installation wizards to aid you in various administrative and maintenance tasks. Using these wizards can decrease the amount of time it takes to do many common tasks. There are four main wizards on the Device Manager pane: Use Add Device to add devices to central management and import their configurations. Use Install Wizard to install configuration changes from the Device Manager pane or Policies & Objects pane to the managed devices. It allows you to preview the changes and, if the administrator doesn’t agree with the changes, cancel and modify them. Use Import Configuration to import interface mappings, policy databases, and objects associated with the managed devices into a policy package one the Policy & Object page. It runs with the Add Device wizard, by default, and you can run it at any time from the managed device list. Use Re-install Policy to perform a quick installation of the policy package. It provides the ability to preview the changes that will be installed on the managed device. You can open the Import Configuration and Re-install Policy wizards by right-clicking your managed device in the Device Manager. SD-WAN 7.2 Study Guide 43 Centralized Management DO NOT REPRINT © FORTINET FortiManager offers two approaches for configuring SD-WAN: per-device management and central management. In per-device management, you configure SD-WAN settings for individual devices. You make configuration changes on the SD-WAN page of the managed device, and then install them. The per-device management approach is useful when your devices have different SD-WAN configuration requirements, and therefore, you must maintain separate settings for each device. In central management, you configure SD-WAN templates and assign them to one or more FortiGate devices. For each SD-WAN template, you define SD-WAN members, zones, performance SLAs, rules, and so on. This approach is convenient for deploying multiple devices that use similar configurations because it reduces the administrative overhead. That is, instead of applying a change on each managed device, you apply it on the shared template. Then, when you install the template changes, FortiManager pushes the change to all target devices of the template. The screenshots on this slide show the FortiManager pages where you apply per-device and central SD-WAN settings. While both pages are in the Device Manager pane, you must click the managed device to access the per-device SD-WAN settings. You can find the SD-WAN central settings under the Provisioning Templates section in the Device Manager pane. The SD-WAN Overlay Templates combine, in a guided approach, configuration of SD-WAN, IPsec overlay, and ADVPN templates. You will learn more about the SD-WAN overlay templates in this lesson. SD-WAN 7.2 Study Guide 44 Centralized Management DO NOT REPRINT © FORTINET Whether you configure SD-WAN using per-device management or central management, the FortiManager pages for both approaches look almost the same. One difference is that the per-device settings page shows the Create VPN button, which enables you to quickly create an IPsec tunnel that can later be added as an SD-WAN member. Another difference is that when you configure an SD-WAN member using an SD-WAN template (central management), you can use metavariables in the Interface Member, Gateway and Health-Check Server settings. Metavariables enable you to define variables that can be assigned with different values per device. Metavariable are introduced with FortiManager 7.2.0 and replace metafields. You will learn more about metavariables in this lesson. The way you configure SD-WAN settings using FortiManager is very similar to how you configure them on the FortiGate GUI. This slide shows an example of a configuration made using per-device management. Like FortiGate, there are three sections available on the GUI: Interface Members, Performance SLA, and SD- WAN Rules, and they serve the same purpose as on the FortiGate GUI. SD-WAN 7.2 Study Guide 45 Centralized Management DO NOT REPRINT © FORTINET Metadata variables are ADOM-level parameters—also available for Global ADOM for per-ADOM mapping— introduced with FortiManager version 7.2.0. You can use metadata variables in CLI scripts, templates, or model devices. They provide required flexibility each time a parameter has different values on each devices. You can access the Metadata Variables menu under Policy & Objects > Advanced to review and edit metadata variables. The metadata variable name can contain only letters, numbers, and underscores. On upgrade from version 7.0 or earlier, FortiManager creates metadata variables at the ADOM level for metafields used in the ADOM. If a metafield contains characters unsupported for metadata variable names, the name is modified, and every unsupported character is replaced with an underscore “_”. System level metafields are kept on upgrade for reference. They remain visible under System Settings > Advanced > Meta Fields. SD-WAN 7.2 Study Guide 46 Centralized Management DO NOT REPRINT © FORTINET The FortiManager metadata variables are user-defined variables that enable you to assign different values to a setting for a given device. They are particularly useful when you configure SD-WAN members using SD- WAN templates. You can use metadata for the Interface Member setting. This allows you to use different interfaces on different devices without having to create separate templates. Another use case for metadata is the gateway setting of SD-WAN members. Even if you use the same interface name for the devices assigned to a template, their gateway is likely to differ. For this reason, you can define a metadata variable for the gateway setting that indicates the gateway IP address to push for the member on each device. The example on this slide shows the use of two metadata variables for SD-WAN member configuration. The sdwan_port1_gw metadata variable is used to define a different gateway for port1 on each managed device. That is, the gateway for port1 on branch1_fgt and branch2_fgt will be 192.2.0.2 and 203.0.113.2, respectively. For member ID 5 in the underlay zone, the inet3_port metadata variable is used to indicate the name of the interface to use as the member on each managed device. That is, branch1_fgt will use port3 as the member, and branch2_fgt will use port8. In Performance SLA section, health check servers for the Level3_DNS entry are defined with one static server IP, the same IP for every device, and one metadata variable to adjust the health check server IP according to device location. To reference a metadata variable in the SD-WAN member configuration, type $ at the beginning of the string so FortiManager shows a list of available metadata variables. On this pop-up menu, a “+” sign allows the user to create a new metadata variable, if required. SD-WAN 7.2 Study Guide 47 Centralized Management DO NOT REPRINT © FORTINET The magnifying glass with a $ sign indicates fields where you can use a metadata variable.. In the example shown on this slide, the user can enter the IP address and netmask as usual, or enter $ to display the metadata variable menu and select one metadata variable for the subnet and one metadata variable for the subnet mask. Note that it’s mandatory to specify the subnet mask separately. Valid options are:  $(LAN_Subnet)/$(LAN_Mask)  $(LAN_Subnet)/255.255.255.0 After you enter the $ sign in a field, a pop-up menu allows you to select an already defined variable. You can create a new variable with the + sign, or edit an existing metavariable with the pen sign displayed when you hover over a variable. To review and edit all metadata variables at the ADOM level, go to Policy & Objects > Object Configurations > Advanced > Metadata Variables. SD-WAN 7.2 Study Guide 48 Centralized Management DO NOT REPRINT © FORTINET If you click the + sign to create a new metadata variable, FortiManager shows a window where you can create a new variable and its per-device mapping. You can then define the variable name and its values. Note that for some fields, you cannot use a metadata variable without a default value. Therefore, it’s a good practice to set a default value for each metadata variable you create. FortiManager uses the default value when installing the configuration on each FortiGate for which you didn’t specify a per-device mapping. One example of a field that requires a default value is IP/Netmask, for a firewall address object. SD-WAN 7.2 Study Guide 49 Centralized Management DO NOT REPRINT © FORTINET For SD-WAN central management, you can import the SD-WAN settings of a device into an SD-WAN template in FortiManager. You can then use the template to deploy SD-WAN on other FortiGate devices that require the same configuration. SD-WAN 7.2 Study Guide 50 Centralized Management DO NOT REPRINT © FORTINET After you configure a new template or you import its settings from a managed device, you can then assign the template to one or more devices or device groups. SD-WAN 7.2 Study Guide 51 Centralized Management DO NOT REPRINT © FORTINET In addition to configuring an SD-WAN template, you may also need to configure a system template and one or more CLI templates. A system template enables you to create and manage common system-level settings for the managed device. The System Template page contains one generic profile named default, which contains widgets for settings such as DNS, Alert Email, Admin Settings, Log Settings, and others. You can create a new device profile and configure the settings in the widgets in that profile. You can use the More icon and Import to import the settings from a specific managed device, which inherits the system-level settings of that managed device. You can use the Assign to Device/Group tab to associate devices with a profile, or to view the list of devices already assigned to a profile. You can apply these configured profiles to multiple devices within the same ADOM, which facilitates identical device-level settings across many devices. SD-WAN 7.2 Study Guide 52 Centralized Management DO NOT REPRINT © FORTINET CLI templates enable you to create CLI scripts or a group of CLI scripts that you can assign to managed devices. FortiManager then enforces the content of the script when pushing the configuration to managed devices. CLI templates are useful for pushing advanced CLI settings, or settings that reference metadata variables. For example, you can use CLI templates to push the SD-WAN settings shown on this slide, which instructs FortiManager to configure the source address for health check probes used by the SD-WAN members. Instead of indicating the source address directly, you can reference a metadata variable (sdwan_vpn_hc_srcip in the example). Because the metadata variable is defined with per-device mapping values, then FortiManager can push a different source address based on the target device. SD-WAN 7.2 Study Guide 53 Centralized Management DO NOT REPRINT © FORTINET On FortiManager you can create two types of scripts: CLI scripts and Jinja scripts. For CLI scripts, you will use the FortiGate CLI commands and the $ sign to reference metadata variables. This type of script is very easy to use but does not offer advanced programming functions. With Jinja scripts, you can use Python-like syntax to configure advanced scenarios. Note that for Jinja scripts, you must reference metadata variables with a double brace symbol— {—. You can use a template group to assign multiple CLI scripts to managed devices. The template groups can contain a mix of CLI and Jinja scripts and are applied in a top-down order. SD-WAN 7.2 Study Guide 54 Centralized Management DO NOT REPRINT © FORTINET When you configure firewall policies for SD-WAN, you must first create a policy package. The policy package then contains one or more firewall policies that are assigned to one or more managed devices. Firewall policies for SD-WAN traffic must reference SD-WAN zones and not individual members. The other interface configured in the firewall policy is usually a normalized interface, for which you must configure correct mapping rules. Normalized interfaces enable you to reference different interfaces on a per-device or per-platform basis. The goal is to be able to share objects, such as firewall policies, across multiple devices with different interface configurations. When FortiManager installs objects that reference a normalized interface, it reads the configured mapping rules, and then assigns the mapped interface to the pushed configuration of each target device. In the example shown on this slide, the branches-pp policy package contains one firewall policy named DIA. The LAN normalized interface is configured as the incoming interface on the policy. LAN is mapped to port5 on both branch1_fgt and branch2_fgt devices, but it could be mapped to different interfaces if needed. SD-WAN 7.2 Study Guide 55 Centralized Management DO NOT REPRINT © FORTINET After you install the SD-WAN settings and relevant configuration on FortiGate, you can use the SD-WAN Monitor page on FortiManager to view the status of the FortiGate devices and their SD-WAN members. Note that, by default, you must manually refresh the page to poll the latest status from the device. Alternatively, you can select an automatic refresh interval. The Map View option shows the location of devices on a map. The location is based on the location settings configured for the device in FortiManager. Hover over a member to view its health and utilization details. Note that the member utilization percentage is calculated based on the values configured for the estimated-upstream-bandwidth and estimated- downstream-bandwidth interface settings. You will learn more about these settings in another lesson. Finally, you can click a device to view historical graphs reporting on the member utilization and health. The next slide shows an example of those graphs. SD-WAN 7.2 Study Guide 56 Centralized Management DO NOT REPRINT © FORTINET When you click a device in the SD-WAN monitor page, FortiManager displays historical graphs reporting on the utilization and health of the SD-WAN members on that device. This slide shows an example of the utilization and health graphs displayed by FortiManager. The user can select the time range to display. Note that, by default, FortiManager displays the data for the past 10 minutes only. To collect and display data over an extended time period you need to enable data storage on the FortiManager disk with the following CLI commands: config system admin setting set sdwan-monitor-history enable end Once the feature is activated, FortiManager stores the data on its disk for each managed SD-WAN device for up to 180 days. To avoid excessive disk usage, you can reduce the data conservation to only a few days with the following CLI commands: config system admin setting set rtm-max-monitor-by-days end SD-WAN 7.2 Study Guide 57 Centralized Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By understanding the IPsec configuration templates available on FortiManager, you will be able to easily configure IPsec VPN tunnels on FortiGate. You will then see how to use the configured IPsec tunnels as overlays in SD-WAN. SD-WAN 7.2 Study Guide 58 Centralized Management DO NOT REPRINT © FORTINET On FortiManager, you can use the IPsec template to easily configure consistent IPsec settings on multiple devices. There are various ways to prepare a template: Create a new template and manually define all required IPsec parameters (Create New). Import settings from a managed FortiGate with an already defined IPsec tunnel (Import). Use a Fortinet Recommended template (Activate). Recommended templates will allow you to prepare a template for IPsec tunnels using Fortinet recommended settings for phase1 and phase2 parameters. The IPsec_Fortinet_Recommended template defines a template for a static point-to-point tunnel The BRANCH_IPsec_Recommended template defines a template for a static tunnel (with a known remote IP address) The HUB_IPsec_Recommended template defines a template for a dynamic tunnel (an IPsec hub for dial-up tunnels) This slide shows an example of a limited number of parameters that you must provide to prepare a branch tunnel configuration with the Branch_IPsec recommended template. Then, using those parameters, FortiManager prepares a template with the IPsec configuration ready to install on the device. You can still review the template and adjust it if necessary. As you already discovered for SD-WAN or CLI templates, metadata are useful to customize the template with values specific to each device. Note that if you are already familiar with FortiManager and have used the VPN manager for your deployments, you can keep using it. However, for new deployments, you should use the IPsec recommended templates. SD-WAN 7.2 Study Guide 59 Centralized Management DO NOT REPRINT © FORTINET The Hub IPsec recommended template prepares a template for a dynamic IPsec VPN tunnel with an outgoing interface, pre-shared key, and IP address range for the remote tunnel specified by the administrator. The tunnel name, network ID, and encryption proposal are automatically set with the values VPN1, ID1, and aes256-sha256. Of course, if required, you can edit and adjust the template. Note that on template creation, Keep Alive is disabled. You can edit Keep Alive to enable it. SD-WAN 7.2 Study Guide 60 Centralized Management DO NOT REPRINT © FORTINET The Branch IPsec recommended template prepares a template for the static IPsec VPN tunnel. You must specify the IP address for the remote end of the tunnel. The template uses the outgoing interface, pre-shared key, and local branch ID specified by the administrator. The local ID must be unique for each branch site. It’s therefore convenient to define it as metadata variable. The tunnel name, network ID, and encryption proposal are automatically set to HUB1-VPN1, ID1 and, aes256-sha256. If required, you can edit and adjust those values and any other parameter from the template. Note that on template creation, such as for hubs, Keep Alive is disabled. You can edit the template to enable Keep Alive. SD-WAN 7.2 Study Guide 61 Centralized Management DO NOT REPRINT © FORTINET Normalized interfaces enable you to reference different interfaces on a per-device or per-platform basis, thus simplifying the configuration and deployment process for multiple devices. Usually, FortiManager requires you to normalize interfaces. However, it’s not required if you plan to configure an IPsec interface as an SD-WAN member. This is because SD-WAN members don’t use normalized interfaces. Another reason is that firewall policies for SD-WAN must reference SD-WAN zones, and not individual members. If you don’t plan to use an IPsec interface as an SD-WAN member, then you must normalize the interface so you can reference it on firewall policies, which are required for the tunnel to come up. Keep in mind the following when normalizing the interface for IPsec: If you plan to use per-platform mapping, you don’t need to install the VPN configuration first. This is because FortiManager asks you to type the name of the interface. You must type the correct interface name; it must correspond to a normalized interface that you have already defined. If you plan to use per-device mapping, then you must install the VPN configuration first. This is because in per-device mapping, FortiManager looks for existing interfaces in the device settings database, which are created only after the installation is performed. After you configure the normalized IPsec interface, you can reference the interface on firewall policies. SD-WAN 7.2 Study Guide 62 Centralized Management DO NOT REPRINT © FORTINET You can monitor the tunnel status and force them up or down from VPN Monitor page, as shown on this slide. Note that Map View is available only for tunnels configured with VPN manager. You must select Show Table to monitor tunnels configured with tunnel templates. SD-WAN 7.2 Study Guide 63 Centralized Management DO NOT REPRINT © FORTINET After you configure your IPsec tunnels, you can start using them as SD-WAN members. Just make sure to remove any existing references to the individual members on firewall policies. Otherwise, FortiManager can’t install the SD-WAN configuration because you can’t reference individual SD-WAN members on firewall policies. You can reference SD-WAN zones only. Note that SD-WAN members don’t use normalized interfaces. Instead, you must type the name of the interface on the device or use a metadata variable. In the example shown on this slide, T_INET_0 is the name of the IPsec interface on the device. The interface is configured as an SD-WAN member and placed in the overlay zone. SD-WAN 7.2 Study Guide 64 Centralized Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in the FortiManager SD-WAN overlay templates, you will be able to configure and deploy a large SD-WAN topology and associated overlay IPsec network with reduced effort. SD-WAN 7.2 Study Guide 65 Centralized Management DO NOT REPRINT © FORTINET Most SD-WAN deployments require complex overlay configurations for datacenter or cloud connectivity. FortiManager includes an SD-WAN overlay template with a wizard to automate and simplify the process using the IPsec and BGP settings recommended by Fortinet. SD-WAN overlay template wizards guide you through the configuration steps and generate a set of consistent configuration templates for SD-WAN, overlay, and routing configurations for hubs and branches devices. Note that you can’t use VPN manager and SD-WAN overlay templates for the same network. When applicable, for a new deployment, you should use the SD-WAN overlay template. It provides a comprehensive approach and guides you through IPsec, BGP, and SD-WAN configuration. Do the following to use the SD-WAN Overlay Template: 1. Define the network topology and subnets to use. 2. Preconfigure your network and SD-WAN devices with administrator settings, the interface IP/subnet and so on. 3. Import devices to FortiManager. 4. Let the SD-WAN Overlay Template guide you through the configuration wizards. 5. Review the configuration templates generated. 6. Install the configurations on devices. Note that if you need to add additional branch devices later, you can do that by adding devices to the branch device group. SD-WAN 7.2 Study Guide 66 Centralized Management DO NOT REPRINT © FORTINET Before you can define the SD-WAN Overlay Template, the first step is to import hub devices into FortiManager—you can use model devices—and configure the necessary links and interfaces. You can import branch devices in this preliminary phase or later, but you must create a device group that contains the branch devices before you proceed further with the SD-WAN overlay template. Network planning is an important phase. You must define the following elements before using the SD-WAN overlay template: - Topology type - Overlay network address space - Loopback IP address space - BGP AS number for SD-WAN overlay region Note that to use the SD-WAN overlay template, your configuration must include a single overlay network. SD-WAN 7.2 Study Guide 67 Centralized Management DO NOT REPRINT © FORTINET SD-WAN overlay templates help you to configure templates for single-hub and dual-hub topologies. Dual-hub topology offers options for primary and secondary hubs or two hubs active simultaneously (called Primary & Primary). Over the next few slides, you will explore how to use the wizards to create templates to configure devices for topology shown on diagram. We will use following parameters: Dual Hub (Primary & Secondary) Two underlay links for each devices iBGP routing ADVPN SD-WAN 7.2 Study Guide 68 Centralized Management DO NOT REPRINT © FORTINET First you define the type of topology used, either single hub or dual hub and the type of redundancy. In the Advanced section, apply settings for the network elements: Loopback IP Address Overlay Network BGP-AS Number Auto-Discovery VPN The SD-Wan overlay template guides you through multiple wizards. FortiManager adjust the fields available on each wizard according to the option you selected during this first step. SD-WAN 7.2 Study Guide 69 Centralized Management DO NOT REPRINT © FORTINET At step 2, you define device roles. For hub devices—two for a dual-hub topology—you must select from devices already discovered on FortiManager. For branch devices, at this stage, you must define a branch devices group. This group can be empty while you are working on the template. Later in this lesson, you will learn how to perform a bulk device import from a CSV file. Later, you can add devices to the branch device group as the network evolves and new sites join the SD-WAN topology. SD-WAN 7.2 Study Guide 70 Centralized Management DO NOT REPRINT © FORTINET Step 3 consists of network configuration for hub and branch devices. At this stage, you will define the network interfaces used for underlay links, usually static definition for hubs and metadata variables for branches. The Private Link checkbox indicates a secure internal link. FortiManager will NOT define an overlay link through this interface. You can also add additional underlay links at this stage (+ sign). For network advertisements, you can decide between connected subnets advertisement or static network prefixes definition. For connected subnets advertisement you must select interfaces that correspond to subnets to advertise. Branch route maps correspond to route maps that the hub applies to a branch neighbor group. SD-WAN 7.2 Study Guide 71 Centralized Management DO NOT REPRINT © FORTINET Usually, to define WAN underlay interfaces for branch devices you use metadata variables. This allows you to accommodate various types of branch sites and branch devices. Similarly, you can use metadata variables for connected subnet interface definitions. In the Advanced section you can define route mapping per hub overlay link or globally for all links. You can define Route map in, Route map out, and Route map out preferable settings. Route map out and Route map out preferable allow differentiated route map advertisements. If an SD-WAN member meets the SLA threshold, FortiGate applies the route map defined in the BGP neighbor's route-map-out-preferable option. If the SD-WAN member fails to meet the SLA, FortiGate applies the route map defined in the BGP neighbor's route-map-out option. This allows FortiGate to advertise the health of the SD-WAN member to its BGP neighbor by advertising different community strings based on SLA status. You will explore route maps options in greater details in another lesson. SD-WAN 7.2 Study Guide 72 Centralized Management DO NOT REPRINT © FORTINET At step 4, you must define the SD-WAN template that the SD-WAN overlay template process uses. The process does not create it automatically. You can call an existing SD-WAN template, and the SD-WAN overlay template process adds settings to it according to the options you selected. Usually, the process adds interface members and zones, at a minimum. If you have no predefined SD-WAN template, you must create one. If you select Add Health Check Servers for Each HUB as Performance SLA, the process creates one performance SLA check for each hub loopback IP. These SLA checks are defined with the default values detection protocol Ping, failure threshold 5, and recovery threshold 5. Once created, you can edit the SD- WAN template to review and adjust the values as required. The wizard does not create SD-WAN rules. You can add them later and refine them as requirements evolve. SD-WAN 7.2 Study Guide 73 Centralized Management DO NOT REPRINT © FORTINET The last step, step 5, is a review phase. You can review all settings and, if adjustments are required, go directly to the appropriate menu. Once you are happy with the settings, click Finish. You will see the results on next slide. SD-WAN 7.2 Study Guide 74 Centralized Management DO NOT REPRINT © FORTINET SD-WAN overlay template generates multiple templates, one per topic. For the branch devices, it creates settings to the SD-WAN template defined. For branches and hubs, it creates BGP, IPsec, and CLI templates to accommodate all required configuration changes. The templates are grouped by device, and device assignment is done for you. At this stage, you can review each template and fine tune settings as required before you apply the configurations to devices. SD-WAN 7.2 Study Guide 75 Centralized Management DO NOT REPRINT © FORTINET After completing the SD-WAN overlay template wizard, you must complete some additional tasks. The SD-WAN overlay template automatically creates a metadata variable called branch_id. You must define a unique branch ID value for each branch device. If you created additional metadata variables through the process, you should also define corresponding values for each device. Usually, you use metadata variables for device name, interface IP, or gateway. You will also edit the SD-WAN template to configure SD-WAN rules and define SLA criteria, create policy packages for your branch and hub devices, and then, install changes to the device with the install wizard. Later, you can return to the SD-WAN overlay template to edit and modify settings, and add new branch devices. SD-WAN 7.2 Study Guide 76 Centralized Management DO NOT REPRINT © FORTINET SD-WAN overlay template guides you through the creation of SD-WAN, BGP, and IPsec tunnel templates in a combined process. If you require guidance for some tasks only, you can use Fortinet recommended templates. They are available for IPsec and BGP. To use a recommended template, select the desired template and activate it. It creates a personalized copy and, using a wizard, guides you through the configuration. SD-WAN 7.2 Study Guide 77 Centralized Management DO NOT REPRINT © FORTINET Device blueprints can simplify new deployments that use multiple devices of the same type and with similar configurations. They allow you to predefine various parameters per FortiGate device model, such as firmware version, assigned templates, or policy package. Note that if you decide to assign the devices to a group, they will inherit all templates associated to that device group. Therefore, to avoid the risk of conflicting configuration instructions, you should either assign provisioning templates or add devices to the group to benefit from group templates. You should not do both on the same blueprint. You can use a device blueprint in conjunction with a CSV file import to simplify the task of adding all branch devices to FortiManager. SD-WAN 7.2 Study Guide 78 Centralized Management DO NOT REPRINT © FORTINET For new SD-WAN deployments, you must add to FortiManager many similar FortiGate devices used on branch sites. Adding devices one by one would be repetitive and time consuming. To simplify this step, FortiManager provides a CSV file import feature. You must build the file as comma- separated values (CSV) with device serial numbers, device names, associated blueprints and, for VM models, the number of interfaces. The SD-WAN overlay template automatically creates a branch_id metadata variable. If you use a CSV file to import SD-WAN branch devices, you must assign a unique branch_id value for each device. In addition to those required parameters, you can use a CSV file to define various per-device parameters with metadata variables. The CSV file must be built with column headers and the corresponding list of values. The first columns must be: sn, device_blueprint, name and, for VMs, vm_interface_number. Additional optional column names must match exact metadata variable names. On file import, FortiManager sets metadata variable values for every predefined value and ignores columns that match already defined metadata variables. Note that the Add Model Device and Import Model devices from CSV file modes are intended for new FortiGate deployments, where no pre-existing configuration on the FortiGate device must be preserved. The configuration associated with the model device overwrites the configuration of the FortiGate device as part of the installation process, after FortiManager authorizes the FortiGate device. SD-WAN 7.2 Study Guide 79 Centralized Management DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned the most useful features available in FortiManager for deploying SD-WAN in large networks. SD-WAN 7.2 Study Guide 80

SD-WAN 7.2 Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue