Professional Documents
Culture Documents
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: techdoc@fortinet.com
Change Log 4
Deployment overview 5
About this guide 5
About the 4-D documentation series 5
Intended audience 6
Design concept and considerations 6
Microsoft Azure vWAN and NVA overview 6
Fortinet deployment overview 8
Prerequisites for Azure virtual WAN 10
Prerequisites for SD-WAN configuration 11
Order types in vWAN 11
Deployment procedures 13
Deploying vWAN on Azure 13
Creating the Azure virtual WAN 14
Creating the virtual WAN hub 14
Peering a vNET to the virtual WAN hub 15
Deploying FortiGate NVAs in vWAN hub 16
Authorizing FortiGate NVAs on FortiManager 18
Licensing FortiGate NVAs on FortiManager 19
Configuring static routes and enabling BGP on FortiGate NVAs 21
Configuring FGSP on FortiGate NVAs 24
Configuring remote logging on NVA FortiGates 25
Adding FortiGate branch devices to device groups 27
Configuring SD-WAN on FortiManager 27
Planning the network 28
Creating an SD-WAN overlay template 28
Verifying the SD-WAN overlay template 33
Editing the SD-WAN template for branch devices 35
Configuring branch to vWAN rules 36
Verifying the template group includes the SD-WAN template 37
Assigning metadata values to branch devices 38
Creating a CLI template for branch devices with DHCP gateway assignments 39
Adding Azure router BGP neighbors 40
(Optional) Creating normalized interfaces 41
(Optional) Creating policy packages 42
Checking installation targets for policy packages 46
Installing policy packages to devices 47
(Optional) SD-WAN self-healing with BGP 48
More information 49
Products used 49
Documentation references 49
Appendix A - Purged configuration information 50
2022-11-18 Clarified the FortiManager IP address must be public in Prerequisites for Azure virtual WAN on
page 10 and Deploying FortiGate NVAs in vWAN hub on page 16.
Microsoft Azure supports virtual WAN (vWAN) and partners with third-party solution providers, such as Fortinet, to
deploy network virtual appliances (NVAs) to a vWAN hub.
This document provides a brief overview of Microsoft Azure vWAN and how Fortinet FortiGate virtual machines can be
used as NVAs in a vWAN hub. It also describes how to deploy Microsoft Azure vWAN and FortiGate NVAs and how to
use FortiManager to configure an SD-WAN hub and spoke overlay between the FortiGate NVAs and branch FortiGates.
The FortiGate NVAs are the hub, and the branch FortiGate(s) are the spokes in the SD-WAN network.
This guide provides the design and steps for deploying a specific architecture. Readers should first evaluate their
environment to determine whether the architecture and design outlined in this guide suits them. It is advised to review
the Reference Architecture Guide(s) if readers are still in the process of selecting the right architecture.
This guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers
must make design decisions to further configure their devices. It is recommended that readers also review
supplementary material found in product administration guides, example guides, cookbooks, release notes, and other
documents where appropriate.
This guide is part of the 4-D documentation series.
Fortinet Secure SD-WAN documentation is categorized into four distinct documents: Define, Design, Deploy and Demo.
Each document is designed for a specific purpose and builds on the other documents by providing you with a complete
path from beginning to end.
The 4-D documentation series includes the following components:
l Design: Conceptual guide to introduce the reader to common SD-WAN use cases and the Fortinet Secure SD-WAN
solution
l Design: Reference Architecture guide that provides an overview of the components and architectures to satisfy
common uses
l Deploy: Deployment Guides provide the step-by-step procedures for deploying the desired architecture
l Demo: Github repository of the configuration and examples provided by documents
This document covers the step-by-step procedures required to create a new SD-WAN region with Microsoft Azure virtual
wide area network (vWAN). The architecture, components, and technology referenced in this document are covered in
the Cloud on-ramp section of the SD-WAN Architecture for Enterprise document.
For additional information and documentation about the topics covered in this document, see the Fortinet Document
Library at https://docs.fortinet.com.
Intended audience
This guide is primarily created for a technical audience, including system architects and design engineers, who want to
deploy Microsoft Azure vWAN with Fortinet Secure SD-WAN in greenfield scenarios. It is assumed that the reader has
read the SD-WAN Architecture for Enterprise document and has identified the architecture that satisfies their use case
and goals. This guide does not cover solution overviews and explanations of technologies and components.
For implementation, a working knowledge of FortiManager and FortiOS networking and policy configuration is ideal.
This section provides an overview of the following design concepts and considerations:
l Microsoft Azure vWAN and NVA overview on page 6
l Fortinet deployment overview on page 8
l Prerequisites for Azure virtual WAN on page 10
l Prerequisites for SD-WAN configuration on page 11
l Order types in vWAN on page 11
Microsoft Azure virtual WAN (vWAN) architecture brings together networking, security, and routing functionality to allow
branches and endpoints to connect to virtual networks (VNets) located in Azure. The Azure vWAN uses a hub and spoke
architecture, where virtual WAN hubs within the vWAN are connected in full mesh, creating the backbone for a global
transit network for any-to-any connectivity. Branches and endpoints form the spokes, connecting to the vWAN hub for
connectivity. The default vWAN caters to different types of spokes that can connect to the vWAN hub by using different
methods, such as ExpressRoute, site-to-site VPN, and point-to-site VPN.
For more information about Microsoft support for NVAs, see Security Provided by NVA firewalls.
In this topology, FortiGate NVAs are deployed into the vWAN Hub. The size of the VMs is determined by the scale units.
(See Order types in vWAN on page 11.) The FortiGates must be managed by FortiManager because no management
access (HTTP/HTTPS/SSH) is allowed to the FortiGates. FortiManager can be located anywhere, but requires TCP/541
access to the FortiGates for FGFM tunnel connection. Finally, the FortiGate NVAs form FGSP peering to share session
information.
Diving into the SD-WAN configuration, the FortiGate NVAs act as the hub, while the branch FortiGates act as the
spokes. Each FortiGate has dual WAN for overlay connections.
After the FortiGate NVAs for the vWAN hub and FortiGate units for branch locations are configured and managed by
FortiManager, you are ready to use FortiManager to configure a new SD-WAN region. FortiGate NVAs are the hub, and
branch FortiGates are the spokes in the SD-WAN configuration.
Following are the prerequisites to configure SD-WAN:
l FortiGate NVAs for the vWAN hub and FortiGate units for the branch locations have been added to FortiManager as
managed devices.
l The FortiGate units have an active connection to FortiManager.
l vWAN FortiGate NVAs have a default configured for the external port.
l In this document, port1 is the external port.
l ISP links and other interfaces have been configured on all devices.
l ISP routing is configured where branches have proper routes to reach the FortiGate NVAs for the vWAN hub.
Deploy simple, secure, and scalable connectivity from your branch (edge) locations to Azure cloud and between the
branch (edge) locations using FortiGate-VM SD-WAN network virtual appliance (NVA) in Azure virtual WAN hub. This
integrated solution offers customers the following benefits:
l Connects their FortiGate CPE appliance to a FortiGate-VM NVA in the virtual hub and take advantage of proprietary
end-to-end SD-WAN capabilities when connecting to Azure workloads.
l Configures the FortiGate-VM NVA automatically as part of the deployment process.
l The customer can easily do any additional configuration for the FortiGate-VM via the FortiManager application that
provides uniform management across Azure and on-premise deployments.
You can choose one of the following scale unit values when deploying FortiGate NVAs. (See Deploying FortiGate NVAs
in vWAN hub on page 16.) Higher scale units are available for increased bandwidth requirements. A specific FortiGate
virtual machine license is recommended for each scale unit value.
The following table summarizes FortiGate vWAN license options:
Scale units cannot change dynamically. If you want to use a different scale unit after deploying
the NVAs, you must redeploy the NVAs.
Microsoft does not currently support use of FortiGate pay as you go (PAYG) SKUs.
l Two full FortiGate licenses (bring your own license (BYOL) or Flex-VM)
l One fully licensed FortiManager instance (PAYG or BYOL)
You can obtain licenses for the BYOL licensing model through any Fortinet partner. If you do not have a partner, contact
azuresales@fortinet.com for assistance in purchasing a license.
For more information on vWAN and routing infrastructure pricing, see Virtual WAN pricing.
After you create the virtual WAN, you are ready to create the virtual WAN hub.
The virtual WAN hub takes approximately 30 minutes to fully complete provisioning. Ensure
the virtual WAN hub is successfully provisioned before proceeding to the next step of Peering
a vNET to the virtual WAN hub on page 15.
Peer an Azure VNET to the virtual WAN hub. The VNET serves as a host for protected resources.
After the vNET is peered, all or selected traffic can be forwarded to the FortiGate NVA instances for inspection.
3. Click Create.
In Azure Marketplace, deploy FortiGate network virtual machines (NVAs) in the virtual WAN hub.
The Scale Unit option controls the type and number of FortiGate NVAs created. See also Order types in vWAN on page
11.
The FortiGate NVAs are displayed as a group in FortiManager, and the name of the group in FortiManager is based on
the FortiGate Name Prefix option in Azure.
1. On Azure marketplace, deploy the aforementioned vWAN NVA application and set the following options:
2. Click Next: FortiGate Secure SDWAN in Virtual WAN, and set the following options:
Scale units cannot change dynamically. If you want to use a different scale unit after
deploying the NVAs, you must re-deploy the NVAs.
Each scale unit creates two FortiGate NVAs in the Microsoft Azure VWAN hub.
For more information about scale units, see Order types in vWAN on page 11.
The FortiManager IP address must be public.
3. Make a note of the FortiGate BGP ASN setting. The default is 64512.
4. Click Review + Create.
5. Click Create.
FortiGate NVAs are grouped together in FortiManager based on the FortiGate Name Prefix specified in Azure when you
deployed the FortiGates.
Before you can use FortiManager to configure the FortiGate NVAs, you must authorize FortiManager to manage the
devices.
On FortiManager, ensure you are using ADOM version 7.2 or later. The authorized FortiGate NVAs must be placed in
ADOM version 7.2 because ADOM version 7.2 is required to automatically group the FortiGate NVAs into a device
group.
1. On FortiManager in the root ADOM, go to Device Manager > Device & Groups, and select the Unauthorized
Devices list. The FortiGate NVAs are displayed in the content pane.
2. In the content pane, select all FortiGate NVAs, and click Authorize.
The Authorize Device dialog box is displayed. The FortiGate NVAs are grouped together with the name of the
NVA from Azure. In the following example from FortiManager, the device name is demovwan-xz3czsyqfit200000.
3. Select an ADOM that is version 7.2, if ADOMs are enabled, and click OK. The authorized device group of FortiGates
is displayed.
Depending on the ADOM selected during authorization, you may need to switch to a ADOM to see the authorized
devices.
The authorized FortiGate NVAs are unlicensed, and you can use FortiManager to add a license file to each FortiGate
NVA.
This example shows how to add a BYOL license.
4. Select License File, drag and drop the license file on the Add files by drag & drop here or Add Files box, and click
OK. The Upload License dialog box is displayed.
7. After adding a license for each FortiGate NVA in the device group, click a FortiGate NVA in the tree menu to display
the License Information widget on the Dashboard, and verify the license is uploaded.
The private address space of the vWAN hub is needed to create a summary route from the private address range to the
secondary interfaces of the FortiGate NVAs, unless there is a more specific, connected route to establish BGP peering.
The BGP peers are already configured and ready to go online after the route is enabled.
We will connect to the CLI for one of the managed FortiGate NVAs and look at port2 to locate and note the first IP
address of the subnet on the FortiGate. The first IP address will be the local gateway for communicating with the virtual
WAN hub routers.
1. From FortiManager, connect to the CLI for one of the FortiGates by using SSH:
a. Go to Device Manager > Device & Groups, and select a FortiGate NVA in the tree menu. The Device
Dashboard for the selected device is displayed.
b. On the Dashboard > Summary pane, go to the System Information widget, and click the Connect to CLI via
SSH button.
c. In the Admin Name box, type the administrator name used to deploy the FortiGate NVA on Azure, and click OK.
The CLI Console of <device name> dialog box is displayed.
d. Type the password used to deploy the FortiGate NVA on Azure, and press Enter.
2. In the CLI console, run the get system interface command, and look at the results for port2.
In the following example, the first IP of the subnet is 10.80.112.1.
(In this example, the administrator's IP address is 10.80.112.5, and they have a /25 mask, which makes the network
address 10.80.112.0, and the first IP, which Azure assigns to the virtual switch, is 10.80.112.1)
On each FortiGate VM, configure static routing to the virtual hub routers through the virtual switch. While creating static
routes, we also need to a route to respond to the Azure load balancer probes, which come in from IP address
168.63.129.16.
1. From FortiManager, connect to the CLI for one of the FortiGates by using SSH.
2. Run the following commands on a FortiGate NVA in the device group:
config router static
edit 0
set dst 10.80.0.0/16
set gateway 10.80.112.1
set device port2
next
edit 0
set dst 168.63.129.16/32
set gateway 10.80.112.1
set device port2
end
After configuring the static route on all FortiGate NVAs, BGP peering is automatically enabled, and you can verify
BGP communication.
1. On the FortiGate NVA, run the get router info bgp summary command.
If configured correctly, the address space from the Peering a vNET to the virtual WAN hub on page 15 section
should be propagated as well.
2. Run the get router info routing-table bgp command:
In certain configurations, such as, redundant IPsec tunnels, traffic flow may return asymmetrically. When traffic returns
asymmetrically, an initial connection could come in on one FortiGate, but the return packets might be sent to the other
FortiGate. Supporting asymmetrical traffic requires FortiGate Session Life Support Protocol (also known as FGSP),
which is a layer 3 session synchronization feature, to be enabled. Further, we must allow for rerouting of packets from
one FortiGate to another in cases where IPS or other deep packet inspection is required.
As an alternative to enabling FGSP, Source NAT (SNAT) can be used instead. For more
information about Source NAT, see the FortiManager Administration Guide > SNAT Policy.
For more information about FGSP and the available options, see the FortiOS Administration
Guide > FGSP.
To configure FGSP:
1. On FortiManager, go to Device Manager > Device & Groups, and select the device group for the FortiGate NVAs.
The FortiGate NVAs in the group are displayed in the content pane.
2. In the content pane, select all devices in the group.
3. Right-click the selected devices, and select FGSP Configuration from the More menu.
5. Note the information in the Device Name and IP Address columns of both FortiGate NVAs.
You must set up remote logging on the NVA FortiGates, as you cannot attach local logging disks to them.
4. Select the desired logging destination. This example selects the FortiManager as the logging destination.
Ensure to enable this option before applying the changes to the template.
This example shows logging to a local FortiManager. To use this feature, enable System
Settings > System Information > FortiAnalyzer Features.
9. After FortiManager installs device settings to the FortiGate instances, device logs populate on the selected logging
destination. To generate logs for verification, go to the NVA FortiGate CLI from FortiManager and run diagnose
log test. In the example, you can find logs in FortiManager in Log View > Traffic.
Branch FortiGates are meant to be in the same region. It is recommended to create a device group in FortiManager for
the branch devices before utilizing the SD-WAN Overlay template to configure SD-WAN. With device groups, you can
add additional branch devices to the group, and the newly added devices will automatically inherit the configuration for
SD-WAN.
Even if you have only one FortiGate as the branch device, add the device to a unique device group in FortiManager.
In Device Manager, use the Device Group menu in the banner to create a new device group.
In the following example, the device group named Branches contains two branch FortiGates:
After the FortiGate NVAs for the vWAN hub and FortiGate units for branch locations are configured and managed by
FortiManager, you are ready to use FortiManager to configure a new SD-WAN region. FortiGate NVAs are the hub, and
branch FortiGates are the spokes in the SD-WAN configuration.
See also Prerequisites for SD-WAN configuration on page 11.
Following is a summary of the FortiManager steps required to configure a new SD-WAN region with Azure vWAN:
1. Plan your network. See Planning the network on page 28.
2. Create an SD-WAN overlay template. See Creating an SD-WAN overlay template on page 28.
3. Verify the SD-WAN overlay template creation. See Verifying the SD-WAN overlay template on page 33.
4. Edit the SD-WAN template for branch devices to modify interface members. See Editing the SD-WAN template for
branch devices on page 35.
5. Configure branch to vWAN hub rules. See Configuring branch to vWAN rules on page 36.
6. Verify template group content. See Verifying the template group includes the SD-WAN template on page 37.
7. Assign metadata values to each branch device. See Assigning metadata values to branch devices on page 38.
8. Create a CLI template to address Azure DHCP assignments. See Creating a CLI template for branch devices with
DHCP gateway assignments on page 39.
9. Add Azure BGP neighbors. See Adding Azure router BGP neighbors on page 40.
10. Create normalized interfaces. See (Optional) Creating normalized interfaces on page 41.
11. Create policy packages and policies. See (Optional) Creating policy packages on page 42.
12. Ensure the installation targets for the policy packages are correct. See Checking installation targets for policy
packages on page 46.
13. Install policy packages. See Installing policy packages to devices on page 47.
Following are the settings chosen for this deployment, such as IP networks, BGP AS number, performance SLA criteria,
and so on:
1. Overlay network address space:
a. This address space is used for the IP addressing of all hub and branch devices.
b. The default 10.10.0.0/16 is used.
2. Loopback IP address space:
a. These addresses are used for performance SLAs, router IDs, and other admin operations.
b. The default 172.16.0.0/16 is used.
3. Autonomous system number for BGP:
a. A private number is used and must remain exclusively for this SD-WAN BGP configuration.
b. You must use the same ASN used in Deploying FortiGate NVAs in vWAN hub on page 16. In this example, the
ASN is 64512.
The deployment example in this guide uses the following ports and IP addresses:
l Azure vWAN hub consists of two FortiGate NVAs.
This section describes how to use the SD-WAN overlay template to configure the overlay network.
The SD-WAN overlay template supports metafields for each input box that displays a
magnifying glass.
For more information, see the FortiManager 7.2 Administration Guide.
b. Expand Advanced, and modify the default IP address scheme for loopback and overlay networks, BGP-AS
number, and to enable AD-VPN as desired.
Ensure that you use the same BGP-AS Number as the following step: Deploying FortiGate NVAs in vWAN hub
on page 16.
Ensure the Overlay Network is unique and does not conflict with the existing subnets.
When entering the port name, it is case sensitive and must match the port as written on
the FortiGate exactly.
Select Private Link if the port is on a private circuit, and you do not want to create an
overlay network utilizing this link.
Select Override IP if you want to manually input an IP address that remote branches
will connect to. This is commonly used in public cloud providers where interfaces have
private IP address or other NAT’d environments.
7. Set the network configuration for the second primary hub device (demovwan-k3q3jr36urmi6000001):
a. Under Primary HUB, set WAN Underlay 1 to port1.
b. Select Override IP, and specify 13.78.141.94, which is the public IP address of Azure FGT 2 (demovwan-
k3q3jr36urmi6000001).
c. Set Network Advertisement to Static.
The network advertisement interface will be advertised to the rest of the SD-WAN
region. In this example, port3 is our LAN interface for each branch, and so will
advertise the branch’s LAN subnet.
After you correctly configure the SD-WAN Overlay template, a number of templates are created. This topic describes
how to check several locations to verify that all templates have been created.
3. Go to Provisioning Templates > IPsec Tunnel Templates, and verify the following templates are created:
4. Go to Provisioning Templates > BGP Templates, and verify the following templates are created:
5. Go to Provisioning Templates > CLI Templates, and verify the following templates are created:
You must edit the SD-WAN template for branch devices to adjust the interface members for HUB1.
The HUB1 SD-WAN zone refers to both the FortiGate NVA interfaces. Both IPsec tunnels are added under the same
hub to inform the branch devices of the destination, which allows appropriate load balancing.
In this section we are going to edit the SD-WAN template to create a new performance SLA target as well as new SD-
WAN rules.
Name Azure_Traffic
You can create a new firewall address by clicking the + icon on the Address field.
c. On the Lowest Cost (SLA) tab, set the following options, and click OK.
Each branch must have a unique branch_id mapping value in order to successfully utilize the
SD-WAN overlay provisioning template.
1. In FortiManager, go to Device Manager > Device & Groups, and expand Managed FortiGates.
2. Set the variable for Branch1:
a. In the content pane, right-click Branch1 and select Edit Variable Mapping. The Edit Metadata Variable Mapping
dialog box is displayed.
b. Click the Mapping Value cell, type 1, and select the checkmark to set the value.
The value is set.
If branch devices have WAN ports configured by DHCP, certain SD-WAN overlay
configurations might render the branch devices temporarily unusable. You can create a
CLI template to avoid the issue.
In this step we will add our BGP neighbors in Azure vWAN. The BGP neighbors distribute all the necessary routes inside
Azure, and then advertise them to the rest of the SD-WAN region.
The BGP neighbors must be added to a CLI template for execution. See also Verifying BGP communication between
FortiGate NVAs on page 23.
FortiManager purges configuration before installing the SD-WAN Overlay template for the first
time. This step replaces critical BGP configuration to counter the purge. See also Appendix A -
Purged configuration information on page 50.
We need to locate the ASN and IP numbers for the vWAN hub. Then we can use the numbers to configure
BGP neighbors for both hubs by using the BGP template in FortiManager.
1. In the Azure portal, go to the virtual WAN hub. See Creating the virtual WAN hub on page 14.
2. In the left navigation, select the BGP Peers section to view the ASN and IP numbers.
In this section, we edit the BGP template to add the ASN and IP address numbers from the Azure vWAN hub.
Azure accepts the configuration set in the Advanced section of the BGP route associations on
FortiManager when the configuration is pushed.
The SD-WAN overlay wizard automatically generates normalized interfaces that this guide
demonstrates.
Because the policy package uses interface objects instead of directly referring to the interface, we must link the interface
objects with the actual interfaces on any/all devices. We do this by creating normalized interfaces with per-platform
mappings.
The mapped interface is case sensitive. It must exactly match the interface on the target
FortiGate.
If you are using different ports for LAN between branches, you can leverage per-device
mapping to override the matched platform: all.
The following policies are provided to allow traffic to flow between branches and hub. They
require further security configuration to secure the communication.
3. In the branches policy package, create a firewall policy named Branch to Azure:
a. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
b. Set the following options, and click OK:
Action Accept
You may need to split the Branch to Azure rule into individual rules for each hub, if the
security needs for each hub differ, such as permitted services and security profiles.
Action Accept
NAT Enable
Name SLA-HealthCheck
IPv4 Source Address Overlay Tunnels, 10.10.0.0/16 (create new address object)
Action Accept
4. In the HUB policy package, create a firewall policy named Branch to Azure:
a. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
b. Set the following options, and click OK:
Action Accept
c. In the Available Entries list, select the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices, and
click the right arrow (>) to move them to the Selected Entries list.
d. Click OK.
The installation target for the HUB policy package is the FGT-3lxk3dptizwra000000 and FGT-
3lxk3dptizwra000001 devices.
Ensure that installation targets for the required policy package include the branch group and FortiGate NVA group.
1. Go to Policy & Objects > Policy Packages, and locate the policy package.
2. Click Installation Targets and click Edit .
The Edit Installation Targets dialog box is displayed.
3. Ensure the branch group and NVA group are selected as targets, and click OK.
The initial push of the SD-WAN overlay template configuration purges certain, existing
FortiGate configurations. For more details, see Appendix A - Purged configuration information
on page 50.
1. Go to Device Manager > Device & Groups, and select the device group for the FortiGates.
2. Click Install Wizard. The Install Wizard dialog box is displayed.
3. Select Install Policy Package & Device Settings, select the policy package, and click Next.
The following table lists the FortiOS CLI configuration elements purged from Branch FortiGate devices when
FortiManager pushes the initial SD-WAN overlay configuration. See also Installing policy packages to devices on page
47.
router bgp > neighbor BGP router neighbor associations config router bgp
webfilter ftgd-local-cat FortiGuard web filter local categories config webfilter ftgd-local-cat
vpn ssl web portal SSL web portal configuration config vpn ssl web portal
vpn ssl web host-check-software SSL-VPN host check software config vpn ssl web host-check-
software
dlp filepattern Data Leak Prevention file patterns config dlp filepattern
used for blocking
firewall shaper traffic-shaper Firewall traffic shaping config firewall shaper traffic-shaper
firewall addrgrp IPv4 Address Groups for Firewall config firewall addrgrp
policies
In some environments, it may be beneficial to enable BGP signaling between branch and hub. This allows the branch to
notify other devices in the SD-WAN region when interfaces are degraded or out of SLA.
For more information, see the SD-WAN Self-Healing with BGP section of the SD-WAN Multi-Hub (Primary/Primary)
Deployment Guide.
Additional information can be found in the SD-WAN Self-Healing with BGP article.
This section identifies the products and versions used in this document and includes links to Fortinet documentation as
well as Microsoft Azure documentation.
Products used
The following product models and firmware were used in this guide:
Documentation references
Feature documentation
l SD-WAN Architecture for Enterprise > Multiple datacenters (primary/secondary gateways)
Solution hub
l https://docs.fortinet.com/sdwan/7.2
External resources:
l What is Azure Virtual WAN
l Security Provided by NVA firewalls
The following table lists the FortiOS CLI configuration elements purged from Branch FortiGate devices when
FortiManager pushes the initial SD-WAN overlay configuration. See also Installing policy packages to devices on page
47.
router bgp > neighbor BGP router neighbor associations config router bgp
webfilter ftgd-local-cat FortiGuard web filter local categories config webfilter ftgd-local-cat
vpn ssl web portal SSL web portal configuration config vpn ssl web portal
vpn ssl web host-check-software SSL-VPN host check software config vpn ssl web host-check-
software
dlp filepattern Data Leak Prevention file patterns config dlp filepattern
used for blocking
firewall shaper traffic-shaper Firewall traffic shaping config firewall shaper traffic-shaper
firewall addrgrp IPv4 Address Groups for Firewall config firewall addrgrp
policies
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.