Contents

Lab Introduction .............................................................................................................................................3

Add Devices to FortiManager. .......................................................................................................................5
Create ADOM ..............................................................................................................................................5

Add Device ..................................................................................................................................................5

Alternate add FMG to FGT ..........................................................................................................................8
Expected Output: ............................................................................................................................................9
Create Device Group ......................................................................................................................................9
Expected Output: ..........................................................................................................................................10

Create and Assign Provisioning Template ...................................................................................................11

Create Provisioning template ...................................................................................................................11
Assign Previsioning Template ...................................................................................................................14
Normalized interface....................................................................................................................................15
Expected Output: ..........................................................................................................................................16
Create Overlay..............................................................................................................................................17

Define VPN Communities..........................................................................................................................18

Add Managed gateway to overlay ............................................................................................................19
Create Policy Packages. ................................................................................................................................20
Branch Policy Package ..............................................................................................................................20
DC Policy Package .....................................................................................................................................21

Push VPN and Policy. ...................................................................................................................................22

Expected Output: ..........................................................................................................................................24
Configure Overlay Essential (IP, Ping, Bandwidth) and ADVPN .................................................................25
Configure Overlay IP (GUI). .......................................................................................................................25
Configure Estimated Bandwidth, Ping and ADVPN for Branch (Script) ....................................................26
Create Normalized Interface for Overlay. ...................................................................................................29

Expected Output: ..........................................................................................................................................29

Enable AD-VPN on HUB (CLI) .......................................................................................................................30
Routing through Provisioning Template .....................................................................................................32
Create Meta Field .....................................................................................................................................32
Populate Meta field and Location.............................................................................................................32
DC Route Template (iBGP) ........................................................................................................................33
 Branch Routing Template (iBGP) ............................................................................................................. 38
Assign CLI Template to Devices ................................................................................................................40
Install routing configuration to Device .....................................................................................................40

Expected Output: ..........................................................................................................................................41

Configure SD-WAN Template.......................................................................................................................42
BGP Neighbour..........................................................................................................................................42
Health-Check Server .................................................................................................................................43
Interface Members ...................................................................................................................................43
SD-WAN Template ....................................................................................................................................44

Branch-TEMP ........................................................................................................................................44
DC Template..........................................................................................................................................48
Assign SD-WAN Template .........................................................................................................................49
Update SD-WAN Zone in Policy. ...............................................................................................................49
Update device SD-WAN and Policy package. ............................................................................................50
Add default route to SD-WAN interface. ..................................................................................................51
Expected Output: ..........................................................................................................................................52
Inter DC Communication..............................................................................................................................53
Create Overlay between DC......................................................................................................................53
Update DC SD-WAN Template ..................................................................................................................54
Create Normalized interface .................................................................................................................54

Create SD-WAN Interface Member ......................................................................................................55

Include Interface Member into SD-WAN template. .............................................................................56
Expected Output: ..................................................................................................................................56
Include Default route on DC1 & DC2 for port2. ....................................................................................56
Configure IP address for DC-DC overlay. ..............................................................................................56

Expected Output: ..................................................................................................................................57

Configure Inter DC routing (eBGP)............................................................................................................57
Quality of service .........................................................................................................................................59
Configure ..................................................................................................................................................59
Create “Shaping Profile” .......................................................................................................................59
Create “Traffic Shaping Policy” .............................................................................................................60

Apply Shaping Profile to Interfaces.......................................................................................................60

Monitoring Interface-based traffic shaping ..............................................................................................61
Create Event handler .................................................................................................................................. 62
Configure Mail Server ...............................................................................................................................62
Configure Event Handler ...........................................................................................................................62

Lab Introduction
This document describes Secure SD-WAN hands-on lab.

The lab has to be completed during the day of training is organized as this instance are running
on the cloud will automatically shut down within 24 hrs. Although we will be doing our best to
guide you through the caveats, this lab guide should NOT be seen as a “step-by-step guide”. It is
assumed that you have a prior knowledge about FortiManager, FortiGate and Fortinet Secure
SD-WAN Solution.

The main objective of the lab to help understand several advance configuration and its
requirement which can be leveraged during a field deployment.

In particular, we are going to cover the following SD-WAN topologies:

Dual Hub and Dual Branches (with ADVPN, DIA and RIA).
IP and access detail:
OOB MPLS INET LAN user password
P4: P1:
P10: P5:
DC1_FGT [Link]/24 [Link]/24 admin fortinet
[Link] [Link]/24
GW: [Link] GW: [Link]
P4: P1:
P10:
DC2_FGT [Link]/24 [Link]/24 [Link]/24 admin fortinet
[Link]
GW: [Link] GW: [Link]
P4:
P10: P1: [Link]/30 vl_lan:
Branch1_FGT [Link]/30 admin fortinet
[Link] GW: [Link] [Link]/24
GW: [Link]
P4:
P1:
P10: [Link]/30 vl_lan:
Branch2_FGT [Link]/30 admin fortinet
[Link] GW: [Link]/24
GW: [Link]
[Link]
P1:
FMG admin fortinet
[Link]

NB: FPOC detail will be shared with each candidate.

Add Devices to FortiManager.

Create ADOM
Create ADOM (LAB64) for FOS 6.4 Type and enable Central Management for VPN, FortiAP, SD-WAN and
FortiSwitch.

System Settings > All ADOMs > Create New >

Add Device
All FortiGate are connected to the FortiManager through out of band (OOB) interfaces. Management
Interface (Port10) IP is preassigned on all FortiGate devices. Using IP and access Detail table, add all
FortiGate devices to FortiManager (Newly created ADOM) for Centralized Management and Analytics.

Note : Do not import Firewall Policy as we will create one required for the LAB.
NB: Note you might get some error for DC1 and DC2, however refresh the page and it will be added.

Also disable interface “port2” on branch devises.

Alternate add FMG to FGT

Please note, in field devices can be added to FortiManager from FrotiGate through fabric connector.

FortiGate > Security Fabric > Fabric Connectors > Other Fortinet Products > FortiManager.
Expected Output:

Create Device Group

Create two (2) separate device Group and assign FortiGate to respective device Group.

1. Branch – Branch1_fgt & Branch2_fgt

2. DC - dc1_fgt & dc2_fgt

Device Manager > Device Group > Device Group > Create New Group
Think why we are doing this!!

Expected Output:
Create and Assign Provisioning Template

Provisioning template are used to configure common parameters which will be used across all the
devices in the infrastructure. Configuration like DNS, NTP, Admin Setting, SNMP, log Settings and more
can be configured and pushed across multiple device. We would use only DNS, Admin Settings and Log
setting for this LAB purpose.

Create Provisioning template

Device manager > Provisioning Templates > System template > Create New > Blank Template >

Select LAB_System-TEMP and edit. Click Toggle Widgets and check DNS, Admin Settings and Log
settings as highlighted in snapshot. Do not forget to click “Apply”.
Assign Previsioning Template
System Template > LAB_Syatem-TEMP (select) > Assign Devices > Select all devices > OK

Install System template to all device through “Install Device Settings (only)”
Click on “Install Preview” and Observe what configuration is pushed to each device. Download for
feature reference if required. And click “Install”

Observe how you can push configuration to ten’s and thousands of devices on a single go.

Normalized interface

A normalized interface defines mapping rules. In mapping rules, interfaces are mapped per-device and/or
per platform. You can have both per-device and per-platform mappings in a normalized interface. This
then can be used in VPN, Policy, and SD-WAN templates. When the normalized interface is used in a
policy, the per-device mappings have higher priority than per-platform mappings.

Create following Nomalized Interfaces

1. LAN – Use both Per-Platform Mapping and Per-Device Mapping.

2. INET – Use Per-Platform Mapping
3. MPLS – Use Per-Platform Mapping

Policy & Object > Object Configuration > Normalized interface > Create New
Note : “Device Interface Name” has to be exactly same as it is in the device like “port1” or “port4”. It
cannot be “Port1” or “PORT1”

Explore if you encounter any problem while shaving the configuration. Understand why this occurred and
how it can be rectified. Please note this important that you do it correct, this will be referred in many
configuration going ahead.

Problem hint: Already mapped interface cannot be used.

Stop and Think why we are doing this!!

Expected Output:

Note : “all” will be created by default, please don’t create/remove it.

Check if your mapping is reflecting properly on all the devices. Branch1 sample example for you.

Create Overlay

Overlay is created to neutralize all the available path so that it can be used for any traffic. Please note
here we will be using the “VPN Manager” feature available is FortiManager. This enable to automate
IPSec provisioning across multiple devices within minutes. We can use the VPN Management > IPsec
VPN pane to create and monitor full-meshed, star, and dial-up IPsec VPN communities. IPsec VPN
communities are also sometimes called VPN topologies.

While we can create all stated VPN topologies, for the sake of this LAB we will focus on most used
topology which is “Dialup”. Please note going ahead we will all enable ADVPN which allow dynamic spoke
to spoke communication.
Define VPN Communities
Let’s configure “VPN Community” for a set of interconnected gateways. Our FGTs will be interconnected
over two separate underlay networks, so we will create four separate communities: one over the Internet
(OL_INET), another one over MPLS (OL_MPLS) and replicate if for both DC, which will work as Active –
Active like many live deployments.

The next few tables list some of the parameters that we will configure. Any parameters that do not
appear in the tables can be left with their default values. And if there is a parameter listed in the table
that you cannot find on FMG, make sure you check under “Advanced Options”!

VPN Manager >IPsec VPN >VPN Community > Create New > (Don’t forget to disable VPN Zone).

Parameter DC1-INET DC1-MPLS DC2-INET DC2-MPLS

Name OL1_INET OL1_MPLS OL2_INET OL2_MPLS
VPN Topology Dial-Up Dial-Up Dial-Up Dial-Up
IKE Version 2 2 2 2
IKE SA Proposals AES256/SHA256, AES256/SHA256, AES256/SHA256, AES256/SHA256,
IPSEC SA
Proposals AES256/SHA256, AES256/SHA256, AES256/SHA256, AES256/SHA256,
Network Overlay ON ON ON ON
Network ID 11 12 21 22
VPN Zone OFF OFF OFF OFF
dpd-retrycount 2 2 2 2
dpd-retryinterval 3 3 3 3

Note : dpd-retrycount and dpd-retryinterval are for faster IPsec convergence and should be considered
on in lab environment. Available under advance options.

An example screenshot is given below.

Add Managed gateway to overlay

Now we will add managed Gateway (devices managed by FMG) to the created VPN community. There are
two types of Gateway role, Hub and Spoke. Please proceed and add Managed gateway based on
following table for the respective VPN Community.

Note : Understand the highlighted parameter and try to understand how it is constructed.

Select respective VPN Community > Create New > Managed Gateway > Change highlighted below.

OL1_INET - OL1_INET - OL1_MPLS - OL1_MPLS -

HUB SPOKE HUB Spoke
Protected Subnet all all all all
Role HUB Spoke HUB Spoke
Device DC1 Branch DC1 Branch
Default VPN Interface INET INET MPLS MPLS
Accept any Accept any peer
Peer Type peer ID ID
Enable IKE Configuration
Method ("mode config") ON ON ON ON
IPv4 Start IP [Link] [Link]
IPv4 End IP [Link] [Link]
IPv4 Netmask [Link] [Link]
Add Route OFF OFF OFF OFF
net-device ON ON
tunnel-search nexthop nexthop

OL2_INET - OL2_INET - OL2_MPLS - OL2_MPLS -

HUB SPOKE HUB Spoke
Protected Subnet all all all all
Role HUB Spoke HUB Spoke
Device DC2 Branch DC2 Branch
Default VPN Interface INET INET MPLS MPLS
Accept any Accept any peer
Peer Type peer ID ID
Enable IKE Configuration
Method ("mode config") ON ON ON ON
IPv4 Start IP [Link] [Link]
IPv4 End IP [Link] [Link]
IPv4 Netmask [Link] [Link]
Add Route OFF OFF OFF OFF
net-device ON ON
tunnel-search nexthop nexthop

Blank means no change. Please double check if this configuration is correct.

All VPN Community would look like this.

Note: Going ahead any device added with branch will automatically get this overlay Configuration if
Normalized Interface is mapped properly. Automation.

Create Policy Packages.

VPN configuration will get pushed to device only with “Install Policy Package & Device Settings”. So lets
create policy for DC and Branch.

Policy & Object > Policy Package > Select Default and Clone as DC-PP and Branch-PP.

Branch Policy Package

Branch-PP is as following.
Policy & Object > Policy Package > Branch-PP > Create New >

Policy & Object > Policy Package > Branch-PP > Installation Target > Edit > add “Branch”

DC Policy Package
DC-PP is as following

Policy & Object > Policy Package > DC-PP > Create New >

Policy & Object > Policy Package > DC-PP > Installation Target > Edit > add “DC”
Note :

1. Overlay is yet not created in device’s; thus we are using “any” as interface. We would update these
policies once it is created after pushing this policy Package.

2. We are referring Device Group to implement Policy. Any device added to this Group will inherit this
Policy package by default.

Push VPN and Policy.

Now we would push VPN and security Policies to the DC and Branch devices.

Policy & Object > Policy Package > Install > Install Wizard >

Note : Enable “Create ADOM Revision” and give it a name which will work as a revision point to revert
configuration to this state.
Note : Click “Install Preview” to understand what configuration is being sent to which device. Download it
for future reference.

Observe how Normalized interface are replaced with real interface of the device.

Repeat similar step for Branch-PP also.

Expected Output:
From FortiManager:

From Branch:
From DC:

Configure Overlay Essential (IP, Ping, Bandwidth) and

ADVPN
We will configure this via different option which will help you understand different option through which
you can configure managed device.

Configure Overlay IP (GUI).

Let’s use GUI (not device) to configure this overlay IP address in DC devices. Please use below table to
configure.

Device Manager > Managed Devices > Select Appropriate Device > System : Interface > Select Appropriate
Interface > Edit.

DC1-OL1_INET_0 DC1-OL1_MPLS_0 DC2-OL1_INET_0 DC2-OL1_MPLS_0

Role WAN WAN WAN WAN
Estimated Bandwidth
(Upsteam) 2000 2000 2000 2000
Estimated Bandwidth
(Downstream) 2000 2000 2000 2000
IP/Netmask [Link]/32 [Link]/32 [Link]/32 [Link]/32
Remote IP [Link]/24 [Link]/24 [Link]/24 [Link]/24

Administrative Access Ping Ping Ping Ping

Think: Why are we not giving IP address to overlay interface in Branch?

Configure Estimated Bandwidth, Ping and ADVPN for Branch (Script)
Lets use “Script” to configure the following in branch devices.

Device Manager > Script >Create New > Script

Script Name: Branch

Comments: Bandwidth+Ping+ADVPN

Script details :

# Enable ADVPN and Ideal timeout

config vpn ipsec phase1-interface

edit "OL1_INET_0"

set auto-discovery-receiver enable

set network-overlay enable

set idle-timeout enable

set idle-timeoutinterval 5

next

edit "OL1_MPLS_0"

set auto-discovery-receiver enable

set network-overlay enable

set idle-timeout enable

set idle-timeoutinterval 5

next

edit "OL2_INET_0"

set auto-discovery-receiver enable

set network-overlay enable

set idle-timeout enable

set idle-timeoutinterval 5

next

edit "OL2_MPLS_0"

set auto-discovery-receiver enable

set network-overlay enable

set idle-timeout enable

set idle-timeoutinterval 5

next

end

#Enable Ping and Speed

config system interface

 edit "port1"

set allowaccess ping

set estimated-upstream-bandwidth 1000

set estimated-downstream-bandwidth 1000

set outbandwidth 1000

set role wan

next

edit "OL1_MPLS_0"

set allowaccess ping

set estimated-upstream-bandwidth 1000

set estimated-downstream-bandwidth 1000

set outbandwidth 1000

set role wan

next

edit "OL1_INET_0"

set allowaccess ping

set estimated-upstream-bandwidth 1000

set estimated-downstream-bandwidth 1000

set outbandwidth 1000

set role wan

next

edit "OL2_MPLS_0"

set allowaccess ping

set estimated-upstream-bandwidth 1000

set estimated-downstream-bandwidth 1000

set outbandwidth 1000

set role wan

next

edit "OL2_INET_0"

set allowaccess ping

set estimated-upstream-bandwidth 1000

set estimated-downstream-bandwidth 1000

set outbandwidth 1000

set role wan

next

end
Run Created Script

Device Manager > Script > Selcet “Branch” > Run Script > Select “Branch” > Run Now

Now Install all this configuration to real devices.

Device Manager > Device Group > Install Wizard > Install Device settings only

Let’s validate and push all this configuration to all the device on a single go.
Create Normalized Interface for Overlay.
Now we will create Normalized Interface for the newly created Overlay. This we would refer while
creating SD-WAN template. Do not forget to add “_0” as Mapped Interface Name

Policy & Object > Object creation > Normalized Interface > Create New.

Expected Output:
Branch Device
DC Devices

Enable AD-VPN on HUB (CLI)

Lets configure ADVPN in DC overlay from CLI (not device).

Device Manager > Device & Group > Managed Devices > Select DC1 > Display Option > Check CLI
Configuration > OK
Device Manager > Device & Group > Managed Devices > Select DC1 > CLI Configuration > vpn > ipsec >
phase1-interface > Edit OL1_MPLS_0 > auto-discovery-sender > ON > OK

Now repeat this for OL1_INET in DC1 and for both OL2_MPLS and OL2_INET for DC2.

Install this through “Install Policy Package & Device Settings “.

Note : Install include configuration for both Policy and Device Setting.
Routing through Provisioning Template
Here we will “CLI Template” to configure Dynamic Routing (iBGP) for communication of Branch_LAN to
DC_LAN and vice versa. In this template we would also use “Meta Field”. So let’s create two Meta first.

Create Meta Field

1. dc-id (object: Device, Name: dc-id (case sensitive), Importance: Optional)

2. branch-id (object: Device, Name: branch-id (case sensitive), Importance: Optional)

System Settings > Meta Field > Create New >

Populate Meta field and Location

Before using this Meta Field which is device specific, we will configure it to respective device and also
Location to Plot devices on Google Map.

Device Manager > Device & Group > Managed Devices > Select respective device > Click Edit >

DC1 DC2 Branch1 Branch2

Enter
Your Your Your Your
Location
wish wish wish wish
(over MAP)

dc-id 1 2

branch-id 1 2
Example below for your reference only.

Think, Do you need to Install this update? Why?

Now have a look on

Note : VPN Manager > Map view > Topology View > Feel free to click different community and observe.

DC Route Template (iBGP)

You have already understood concept of Bi-Direction SD-WAN or Self-Healing WAN during presentation.
Let’s implement it now through a “CLI Template”.

Device Manager > Previsioning Template > CLI Template > Create New

Template Name: DC Routing

Comments: BGP Communities, route-maps, BGP neighbours and Overlay stickiness

Script details: # Define BGP Communities

config router community-list

edit "SLA_FAIL_MPLS"

config rule

edit 1

set action permit

set match "65000:200"

next

end
 next

edit "SLA_FAIL_INET"

config rule

edit 1

set action permit

set match "65000:201"

next

end

next

edit "SLA_OK_MPLS"

config rule

edit 1

set action permit

set match "65000:100"

next

end

next

edit "SLA_OK_INET"

config rule

edit 1

set action permit

set match "65000:101"

next

end

next

end

# Match Communities with route-maps

config router route-map

edit "OL_MPLS_IN"

config rule

edit 3

set match-community "SLA_FAIL_MPLS"

set set-tag 2

set set-weight 100

next
 edit 100

set set-tag 1

set set-weight 200

next

end

next

edit "OL_INET_IN"

config rule

edit 3

set match-community "SLA_FAIL_INET"

set set-tag 2

set set-weight 100

next

edit 100

set set-tag 1

set set-weight 200

next

end

next

edit "OL_MPLS_OUT"

config rule

edit 1

set action deny

set match-community "SLA_OK_INET"

next

edit 2

set action deny

set match-community "SLA_FAIL_INET"

next

edit 100

next

end

next

edit "OL_INET_OUT"

config rule

edit 1
 set action deny

set match-community "SLA_OK_MPLS"

next

edit 2

set action deny

set match-community "SLA_FAIL_MPLS"

next

edit 100

next

end

next

end

# Configure BGP neighbors

config router bgp

set as 65000

set router-id 10.$(dc-id).0.1

set keepalive-timer 5

set holdtime-timer 15

set ibgp-multipath enable

set network-import-check disable

set additional-path enable

set scan-time 20

config neighbor-group

edit OL_MPLS

set soft-reconfiguration enable

set advertisement-interval 1

set remote-as 65000

set interface OL$(dc-id)_MPLS_0

set route-map-in OL_MPLS_IN

set route-map-out OL_MPLS_OUT

set additional-path both

set route-reflector-client enable

next

edit OL_INET

set soft-reconfiguration enable

 set advertisement-interval 1

set remote-as 65000

set interface OL$(dc-id)_INET_0

set route-map-in OL_INET_IN

set route-map-out OL_INET_OUT

set additional-path both

set route-reflector-client enable

next

end

config neighbor-range

edit 1

set prefix 172.160.$(dc-id)2.0 [Link]

set neighbor-group OL_MPLS

next

edit 2

set prefix 172.160.$(dc-id)1.0 [Link]

set neighbor-group OL_INET

next

end

config network

edit 1

set prefix 10.$(dc-id).0.0 [Link]

next

end

end

# Overlay stickiness

config router policy

edit 1

set input-device OL$(dc-id)_MPLS_0

set output-device OL$(dc-id)_MPLS_0

next

edit 2

set input-device OL$(dc-id)_INET_0

set output-device OL$(dc-id)_INET_0

next
end

Note: How referring “Meta Field” this template would work for both DC.

Branch Routing Template (iBGP)

Lets implement it now through a “CLI Template”.

Device Manager > Previsioning Template > CLI Template > Create New

Template Name: Branch Routing

Comments: BGP Communities and BGP neighbor

Script details: # Set BGP Communities with route-maps

config router route-map

edit "SLA_FAIL_MPLS"

config rule

edit 1

set set-community "65000:200"

next

end

next

edit "SLA_OK_INET"

config rule

edit 1

set set-community "65000:101"

next

end

next

edit "SLA_OK_MPLS"

config rule

edit 1

set set-community "65000:100"

next

end

next

edit "SLA_FAIL_INET"

config rule

edit 1

set set-community "65000:201"

 next

end

next

end

# BGP to Hub

config router bgp

set as 65000

set router-id 10.0.$(branch-id).1

set keepalive-timer 5

set holdtime-timer 15

set ibgp-multipath enable

set scan-time 20

config neighbor

edit "[Link]"

set soft-reconfiguration enable

set interface "OL1_MPLS_0"

set remote-as 65000

set route-map-out "SLA_FAIL_MPLS"

set route-map-out-preferable "SLA_OK_MPLS"

set additional-path receive

next

edit "[Link]"

set soft-reconfiguration enable

set interface "OL1_INET_0"

set remote-as 65000

set route-map-out "SLA_FAIL_INET"

set route-map-out-preferable "SLA_OK_INET"

set additional-path receive

next

edit "[Link]"

set soft-reconfiguration enable

set interface "OL2_MPLS_0"

set remote-as 65000

set route-map-out "SLA_FAIL_MPLS"

set route-map-out-preferable "SLA_OK_MPLS"

 set additional-path receive

next

edit "[Link]"

set soft-reconfiguration enable

set interface "OL2_INET_0"

set remote-as 65000

set route-map-out "SLA_FAIL_INET"

set route-map-out-preferable "SLA_OK_INET"

set additional-path receive

next

end

config network

edit 1

set prefix 10.0.$(branch-id).0 [Link]

next

end

end

Assign CLI Template to Devices

Now assign this template to respective devices. Please note “Branch Routing” template can be assigned
to multiple spoke location which would always be a repetitive task during live rollout.

Device Manager > Provisioning Template > CLI Template > Select Branch Routing > Assign to device >
select all Branches > ok

Device Manager > Provisioning Template > CLI Template > Select DC Routing > Assign to device > select
both DC device > ok

Install routing configuration to Device

Run Install wizard to commit this configuration to devices after reviewing and downloading the
configuration changes.
Device Manager > Provisioning Template > Install Wizard > Install device settings (only). > Next > Next >
Install

Check if DC and Branches is learning iBGP route’s. Let the instructor know from where you are able to
view routes and if there exist any other options.

Note : What routes are learned in DC and Branch

Expected Output:
DC
Branch

Configure SD-WAN Template

Creating SD-WAN rule will be a bottoms up procedure. Starting from BGP neighbours to Health-Check
Server to Interface Member and finally use all created component in an SD-WAN Template.

BGP Neighbour
Create Following BGP Neighbours. Note we are specifying BGP peer IP address which is common across
all branches.

Device Manager > SD-WAN > BGP Neighbour > Create New
Health-Check Server
Create the Health-Check servers to be used for Link monitoring. Each Health-Check server can be
configured with two servers. Create Health-check servers for respective DC’s. Lets not create any server
for Internet health check for now. We will use some default feature available while creating Performance
SLA.

Interface Members
Created following interface member that will be referred in SD-WAN rules. Note, while it is ok not to give
gateway addresses in overlay but it is recommended to define underlay gateway address. So for
underlay, per-device mapping should be created.

Create Overlay Interface Members based on below table.

Device manager > SD-WAN > Interface Member > Create New

Name OL1_INET OL1_MPLS OL2_INET OL2_MPLS

Normalized
OL1_INET OL1_MPLS OL2_INET OL2_MPLS
Interface

Cost 1 2 1 2

Per-Device Mapping NO NO NO No
Create underlay Interface based on below screenshot.

Device manager > SD-WAN > Interface Member > Create New

Note : Branch1 simulate a Broadband link which will have a dynamic (Private) IP from the modem, thus
no gateway need to be defined and will update itself from route table.

SD-WAN Template
Finally let’s create SD-WAN templates now. We will create 3 different templates

1. Branch-TEMP
2. DC1-TEMP
3. DC2-TEMP

Branch-TEMP
Let’s begin with Branch-TEMP. Create Zone and Include members as stated in the screenshot.

Device Manager > SD-WAN > SD-WAN Template > Create New > Name “Branch-TEMP” > Interface
Member > Create New > SD-WAN Zone and SD-WAN Member.
Device Manager > SD-WAN > SD-WAN Template > Create New > Name “Branch-TEMP” > Performance
SLA > Create New > DC1 and DC2

In “Advance Options” enter sla-fail-log-period and sla-pass-log-period as 30 and 60 respectively to

generate SD-WAN log.
Note : Do not forget to save this config to get preconfigured SLA’s.

Device Manager > SD-WAN > SD-WAN Template > Create New > Name “Branch-TEMP” > Performance
SLA > Edit Default_DNS and Specify highlighted interface only > OK

Repeat In “Advance Options” enter sla-fail-log-period and sla-pass-log-period as 30 and 60 respectively

to generate SD-WAN log.
Question: Why overlay and why only MPLS overlay’s !!

Create Neighbour based on below screenshot. All required component is available in drop down menu.

Device Manager > SD-WAN > SD-WAN Template > Create New > Name “Branch-TEMP” > Neighbour >
Create New

Create following SD-WAN Rule based on the below table and show let the instructor know that you have
completed.

Interface Required SLA

Name Source Destination Strategy
Preference Target
Best Quality
(Custom with equal
DC1- Address: DC1_LAN
all Weight for Latency, DC1 Overlay DC1
ACCESS ([Link]/24)
Jitter, packet Loss
and Bandwidth)
DC2- Address: DC2_LAN Maximize
all DC2 overlay DC2
Access ([Link]/24) Bandwidth (SLA)
Address: Branch-NET DC1 & DC2
Branch all Lowest Cost (SLA) DC1 & DC2
([Link]/16) Overlay

Application Group(DNS,
Underlay and
BCritical all Salesforce, GoToMeeting, Lowest Cost (SLA) Default_DNS
MPLS Overlay
[Link])

Non- Application
all Manual Underlay NA
BCritical Group(Facebook, Twitter)

Note : Can you change the default mode in Maximize Bandwidth to “bibandwidth” and intimate
instructor.
DC Template
DC template are relatively simpler. As explained using route-tag, SD-WAN rule would select an outgoing
interface to communicate from DC to Branch. So create rules based on following information for both the
DC, name them DC1-TEMP and DC2-TEMP.

DC1 Interface

DC1 SD-WAN Rules (Keep all to default if not mentioned in below table.)

Name Route Tag Strategy Interface Preference DC1

INET_SLA_OK 1 Manual OL1_INET
INET_SLA_FAIL 2 Manual OL1_INET
MPLS_SLA_OK 1 Manual OL1_MPLS
MPLS_SLA_FAIL 2 Manual OL1_MPLS

Example output
DC2 Interface

DC2 SD-WAN Rules (Keep all to default if not mentioned in below table.)

Name Route Tag Strategy Interface Preference DC2

INET_SLA_OK 1 Manual OL2_INET
INET_SLA_FAIL 2 Manual OL2_INET
MPLS_SLA_OK 1 Manual OL2_MPLS
MPLS_SLA_FAIL 2 Manual OL2_MPLS

Assign SD-WAN Template

Please assign SD-WAN template to respective devices as stated in below screen shot.

Device Manager > SD-WAN >SD-WAN Templates >

Update SD-WAN Zone in Policy.

Note recently created Zone in SD-WAN Template is automatically created as a Zone object and is ready to
be updated in Firewall Policy. Let’s update the Branch and DC policy package and push both SD-WAN and
Security Policy on a single go.
Note : Most of the time, the newly created zone show up, if in case it doesn’t Go to “Object
Configuration” and search for “zone”. Edit all 4 output and just save it once again.

Branch-PP

DC-PP

Update device SD-WAN and Policy package.

Note : Do not forget to review and and download what is getting pushed to the device.
Add default route to SD-WAN interface.

Add default route to SD-WAN interface on both the branche devices through GUI and push the config.

Compulsory Test:

1. Login to any branch device and test failover of “BCritical” application. Report to instructor with
your observation.
2. Quickly test ADVPN (ping branch machine to machine) with DC based failover.
Tools: Use “wan_simulator” available on FPOC to induce latency/packet loss/Jitter and generate Internet
traffic.

Expected Output:
BCritical and Non-BCritical failover output from “Secure SD-WAN Monitor”

AD-VPN communication (ping response time decreases and Dynamic interface automatically created
(OLX_INET_0_0)
Inter DC Communication
This is something commonly asked in field. To make this work we would use an additional DC1-DC2
Overlay, eBGP and obviously will have to update the policy.

Create Overlay between DC

This time we will create “Mesh” topology vpn using system default Normalized Interface “port2”

VPN Manger > IPsec VPN > VPN Community > Create New

Parameter DC
Name DC
VPN Topology Full Meshed
IKE Version 2
IKE SA Proposals AES256/SHA256,
IPSEC SA
Proposals AES256/SHA256,
Network Overlay ON
 Network ID 100
VPN Zone OFF
dpd-retrycount 2
dpd-retryinterval 3

VPN Manger > IPsec VPN > All VPN Community > Click DC > Create New > Managed Gateway

Protected Subnet all

Device DC (Group)
Default VPN Interface port2
Manual (via
Routing Device Manager)
net-device ON

Note : Not getting “port2” as an option in VPN interface ? Then I Have a hint for you..

Install update via “Install Policy Package & Device Settings”.

Note: VPN config automatically get pushed with Policy Package not with Device Settings (only).

Update DC SD-WAN Template

Create Normalized interface

Create Normalized interface name IDC and do a Per-Device mapping for both DC.
Create SD-WAN Interface Member
Create Interface Member for the newly created Overlay and port2 interfaces.

1. INET2 (Per-Device Mapping)

2. IDC (Normalized Interface)

Include Interface Member into SD-WAN template.
Let’s include INET2 under DCUL Zone and IDC under DCOL zone as member in both DC1 and DC2 SD-WAN
Template.

Expected Output:

Include Default route on DC1 & DC2 for port2.

Configure IP address for DC-DC overlay.

Configure IP for the recently created Overlay between DC as mentioned below.

 DC1 DC2
Interface Name DC-3 DC-4
IP/Netmask [Link]/32 [Link]/32
Remote IP [Link]/24 [Link]/24
Administrative Access Ping Ping

Note: No need to update any Policy as both Member Interface is now attached to Zone which is already
referred in Policy.

Install update via “Install Policy Package & Device Settings”.

Expected Output:

Configure Inter DC routing (eBGP)

This time lets configure eBGP by logging in to respective DC device CLI and observe how this gets sync
back to FortiManager.

Login to DC1 with Read-Write access and on the CLI prompt enter the following commands.

config router bgp

set ebgp-multipath enable

config neighbor

edit [Link]

set advertisement-interval 1

set soft-reconfiguration enable

set interface DC-3

set remote-as 65002

set local-as 65001

set allowas-in-enable enable

next

end

end

Login to DC2 with Read-Write access and on the CLI prompt enter the following commands.

config router bgp

set ebgp-multipath enable

 config neighbor

edit [Link]

set advertisement-interval 1

set soft-reconfiguration enable

set interface DC-4

set remote-as 65001

set local-as 65002

set allowas-in-enable enable

next

end

end

Observe:

1. Route table of both DC

2. This configuration is synced back to FortiManager

Device Manager > Device & Group > Managed Devices > dc2_fgt > CLI Configurations > router >
bgp > neighbour .
 3. Branch1 able to reach to DC2 even if it’s all WAN (Disable - port1 & port4) port is down?
If Yes – How ? If No Why ? Ask the Instructor if you have confusion.

Quality of service
Configure
While Fortinet solution different type of Traffic Shaping but what becomes very relevant in case of SD-
WAN deployments is Interface-based traffic shaping profile which allow Percentage based Bandwidth
allocation/reservation.

Let’s try and do a quick configuration for Central Management ie. FortiManager. This is a 3 step process.

Create “Shaping Profile”

Create shaping profile based on below Screenshot.

Policy & Object > Object Configuration > Firewall Object > Shaping Profile > Create New

Select All(2) and click “Set to Default” to make this the default for all other traffic.
Note: Class ID can be directly created from the Add (+) sign.

Create “Traffic Shaping Policy”

Create Traffic Shaping Policy based on below screen shot. To get visibility of the option under Policy
Package, Click Tool > Display Options > under “Policy” check “Traffic Shaping Policy” > ok

Policy & Object > Policy package > Branch-PP >Traffic Shaping Policy > Create new

Apply Shaping Profile to Interfaces.

Now this shaping profile has to be assigned to all the branch interfaces. This can be TDS job, but not with
a manager. Remember we Script we created to enable ADVPN, Bandwidth and Ping for branch!
We will simply edit and include below command under each port (port1, OL1_MPLS_0, OL1_INET_0,
OL2_MPLS_0 and OL2_INET_0).

set egress-shaping-profile Shaper_Profile

For example

Remember to Run Script on Branch Group and install all update configuration through Install Policy
Package & Device Settings. Do not forget to review and download the config any time, make this a habit.

Monitoring Interface-based traffic shaping

Once can monitor implemented Traffic Shaping in two ways.

1. Through Device CLI.

2. Other option is through FMG Device Manager

Device Manager > Device & Group > Managed Device > Branch > System : Dashboard > Network >
Add Widget > Traffic Shaping (Interface-based)
Create Event handler
Let’s create an email trigger when a link is down. Please note to trigger an email alert you
would need you email server detail to be configured in FortiAnalyzer (FAZ).

Configure Mail Server

System Setting > Advance > Mail Server > Create New

Configure Event Handler

Incident & Events > Handler > Event Handler > Create New
Note: Please explain Instructer what is configured or ask him what does this results too..

Either way “Animesh Saha” would definetly love to hear you have reach here..

The END.