FortiGate and FortiManager-7.2-Azure vWAN Deployment

Azure vWAN Deployment
FortiGate and FortiManager 7.2

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
February 16, 2023

FortiGate and FortiManager 7.2 Azure vWAN Deployment
01-722-809372-20230216
TABLE OF CONTENTS
Change Log 4
Deployment overview 5
About this guide 5
About the 4-D documentation series 5
Intended audience 6
Design concept and considerations 6
Microsoft Azure vWAN and NVA overview 6
Fortinet deployment overview 8
Prerequisites for Azure virtual WAN 10
Prerequisites for SD-WAN configuration 11
Order types in vWAN 11
Deployment procedures 13
Deploying vWAN on Azure 13
Creating the Azure virtual WAN 14
Creating the virtual WAN hub 14
Peering a vNET to the virtual WAN hub 15
Deploying FortiGate NVAs in vWAN hub 16
Authorizing FortiGate NVAs on FortiManager 18
Licensing FortiGate NVAs on FortiManager 19
Configuring static routes and enabling BGP on FortiGate NVAs 21
Configuring FGSP on FortiGate NVAs 24
Configuring remote logging on NVA FortiGates 25
Adding FortiGate branch devices to device groups 27
Configuring SD-WAN on FortiManager 27
Planning the network 28
Creating an SD-WAN overlay template 28
Verifying the SD-WAN overlay template 33
Editing the SD-WAN template for branch devices 35
Configuring branch to vWAN rules 36
Verifying the template group includes the SD-WAN template 37
Assigning metadata values to branch devices 38
Creating a CLI template for branch devices with DHCP gateway assignments 39
Adding Azure router BGP neighbors 40
(Optional) Creating normalized interfaces 41
(Optional) Creating policy packages 42
Checking installation targets for policy packages 46
Installing policy packages to devices 47
(Optional) SD-WAN self-healing with BGP 48
More information 49
Products used 49
Documentation references 49
Appendix A - Purged configuration information 50
FortiGate and FortiManager 7.2 Azure vWAN Deployment 3

Fortinet Inc.
Change Log
Date Change Description
2022-10-06 Initial release.
2022-11-18 Clarified the FortiManager IP address must be public in Prerequisites for Azure virtual WAN on
page 10 and Deploying FortiGate NVAs in vWAN hub on page 16.
2022-11-25 Updated Configuring FGSP on FortiGate NVAs on page 24.
2022-11-30 Updated (Optional) Creating policy packages on page 42.
2023-01-11 Updated Prerequisites for Azure virtual WAN on page 10.
2023-02-16 Updated Microsoft Azure vWAN and NVA overview on page 6.

Fortinet Inc.
Deployment overview
Microsoft Azure supports virtual WAN (vWAN) and partners with third-party solution providers, such as Fortinet, to
deploy network virtual appliances (NVAs) to a vWAN hub.
This document provides a brief overview of Microsoft Azure vWAN and how Fortinet FortiGate virtual machines can be
used as NVAs in a vWAN hub. It also describes how to deploy Microsoft Azure vWAN and FortiGate NVAs and how to
use FortiManager to configure an SD-WAN hub and spoke overlay between the FortiGate NVAs and branch FortiGates.
The FortiGate NVAs are the hub, and the branch FortiGate(s) are the spokes in the SD-WAN network.
About this guide
This guide provides the design and steps for deploying a specific architecture. Readers should first evaluate their
environment to determine whether the architecture and design outlined in this guide suits them. It is advised to review
the Reference Architecture Guide(s) if readers are still in the process of selecting the right architecture.
This guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers
must make design decisions to further configure their devices. It is recommended that readers also review
supplementary material found in product administration guides, example guides, cookbooks, release notes, and other
documents where appropriate.
This guide is part of the 4-D documentation series.
About the 4-D documentation series
Fortinet Secure SD-WAN documentation is categorized into four distinct documents: Define, Design, Deploy and Demo.
Each document is designed for a specific purpose and builds on the other documents by providing you with a complete
path from beginning to end.
The 4-D documentation series includes the following components:
l Design: Conceptual guide to introduce the reader to common SD-WAN use cases and the Fortinet Secure SD-WAN
solution
l Design: Reference Architecture guide that provides an overview of the components and architectures to satisfy
common uses
l Deploy: Deployment Guides provide the step-by-step procedures for deploying the desired architecture
l Demo: Github repository of the configuration and examples provided by documents
This document covers the step-by-step procedures required to create a new SD-WAN region with Microsoft Azure virtual
wide area network (vWAN). The architecture, components, and technology referenced in this document are covered in
the Cloud on-ramp section of the SD-WAN Architecture for Enterprise document.
For additional information and documentation about the topics covered in this document, see the Fortinet Document
Library at https://docs.fortinet.com.

Fortinet Inc.
Deployment overview
Intended audience
This guide is primarily created for a technical audience, including system architects and design engineers, who want to
deploy Microsoft Azure vWAN with Fortinet Secure SD-WAN in greenfield scenarios. It is assumed that the reader has
read the SD-WAN Architecture for Enterprise document and has identified the architecture that satisfies their use case
and goals. This guide does not cover solution overviews and explanations of technologies and components.
For implementation, a working knowledge of FortiManager and FortiOS networking and policy configuration is ideal.
Design concept and considerations
This section provides an overview of the following design concepts and considerations:
l Microsoft Azure vWAN and NVA overview on page 6
l Fortinet deployment overview on page 8
l Prerequisites for Azure virtual WAN on page 10
l Prerequisites for SD-WAN configuration on page 11
l Order types in vWAN on page 11
Microsoft Azure vWAN and NVA overview
Microsoft Azure virtual WAN (vWAN) architecture brings together networking, security, and routing functionality to allow
branches and endpoints to connect to virtual networks (VNets) located in Azure. The Azure vWAN uses a hub and spoke
architecture, where virtual WAN hubs within the vWAN are connected in full mesh, creating the backbone for a global
transit network for any-to-any connectivity. Branches and endpoints form the spokes, connecting to the vWAN hub for
connectivity. The default vWAN caters to different types of spokes that can connect to the vWAN hub by using different
methods, such as ExpressRoute, site-to-site VPN, and point-to-site VPN.

Fortinet Inc.
Deployment overview
For more information, see What is Azure Virtual WAN?

Microsoft also partners with third-party solution providers, such as Fortinet, to deploy network virtual appliances (NVAs)
to a vWAN hub. In this way, Microsoft customers can deploy FortiGate NVAs to provide SD-WAN connectivity and
NGFW security across regions. The FortiGate NVAs running in the vWAN hub can inspect all North-South traffic to and
from a branch to a hub-connected VNET. At the same time, the FortiGate NVAs offer SD-WAN connectivity for
performance and redundancy.

Fortinet Inc.
Deployment overview
For more information about Microsoft support for NVAs, see Security Provided by NVA firewalls.
Fortinet deployment overview
This deployment guide describes the provisioning steps required to:

l Use Azure Marketplace to create a virtual WAN (vWAN).
l Use Azure Marketplace to create a virtual WAN hub.
l Use Azure Marketplace to deploy FortiGate network virtual appliances (NVAs) into the vWAN hub.
l Use the Azure portal to configure virtual network (VNET) peering to your VNETs.
l Use FortiManager to authorize the deployed FortiGate NVAs for management.
l Use FortiManager to license and configure the FortiGate NVAs .
l Use FortiManager to configure the FortiGate NVAs as SD-WAN hubs and branch FortiGates as SD-WAN spokes.
Following is an example of a fully deployed vWAN architecture:

Fortinet Inc.
Deployment overview
In this topology, FortiGate NVAs are deployed into the vWAN Hub. The size of the VMs is determined by the scale units.
(See Order types in vWAN on page 11.) The FortiGates must be managed by FortiManager because no management
access (HTTP/HTTPS/SSH) is allowed to the FortiGates. FortiManager can be located anywhere, but requires TCP/541
access to the FortiGates for FGFM tunnel connection. Finally, the FortiGate NVAs form FGSP peering to share session
information.

Fortinet Inc.
Deployment overview
Diving into the SD-WAN configuration, the FortiGate NVAs act as the hub, while the branch FortiGates act as the
spokes. Each FortiGate has dual WAN for overlay connections.
For more information, see Multiple Datacenters for Enterprise (primary/secondary).
Prerequisites for Azure virtual WAN
l Microsoft Azure account with permissions to deploy/modify resources

l Pre-existing Azure VNET hosting protected resources on the cloud
l Branch FortiGate (either cloud or on-premise) already configured with protected resources
l Branch FortiGate running FortiOS version 7.2.2 or later
l BYOL licenses for NVA FortiGates (2), license core count based on required scale unit (see Order types in vWAN
on page 11)
l FortiManager version 7.2.1 or later (licensed) with ADOM version 7.2 and a public IP address
FortiManager Cloud is currently not supported.
When selecting a firmware to use in your deployment, it is important to reference the

FortiManager Release Notes and FortiOS Release Notes.
Release notes will cover supported FortiGate and FortiManager models, special notices,
upgrade information, known issues, and other critical information that should be evaluated for
your scenario.

Fortinet Inc.
Deployment overview
Prerequisites for SD-WAN configuration
After the FortiGate NVAs for the vWAN hub and FortiGate units for branch locations are configured and managed by
FortiManager, you are ready to use FortiManager to configure a new SD-WAN region. FortiGate NVAs are the hub, and
branch FortiGates are the spokes in the SD-WAN configuration.
Following are the prerequisites to configure SD-WAN:
l FortiGate NVAs for the vWAN hub and FortiGate units for the branch locations have been added to FortiManager as
managed devices.
l The FortiGate units have an active connection to FortiManager.
l vWAN FortiGate NVAs have a default configured for the external port.
l In this document, port1 is the external port.
l ISP links and other interfaces have been configured on all devices.
l ISP routing is configured where branches have proper routes to reach the FortiGate NVAs for the vWAN hub.
l LAN and other directly connected networks have been assigned.
Order types in vWAN
Deploy simple, secure, and scalable connectivity from your branch (edge) locations to Azure cloud and between the
branch (edge) locations using FortiGate-VM SD-WAN network virtual appliance (NVA) in Azure virtual WAN hub. This
integrated solution offers customers the following benefits:
l Connects their FortiGate CPE appliance to a FortiGate-VM NVA in the virtual hub and take advantage of proprietary
end-to-end SD-WAN capabilities when connecting to Azure workloads.
l Configures the FortiGate-VM NVA automatically as part of the deployment process.
l The customer can easily do any additional configuration for the FortiGate-VM via the FortiManager application that
provides uniform management across Azure and on-premise deployments.
You can choose one of the following scale unit values when deploying FortiGate NVAs. (See Deploying FortiGate NVAs
in vWAN hub on page 16.) Higher scale units are available for increased bandwidth requirements. A specific FortiGate
virtual machine license is recommended for each scale unit value.
The following table summarizes FortiGate vWAN license options:
Scale units Bandwidth Suggested license Security service Instance count

SKU (support
included)
2 1 Gbps FortiGate-VM (2 CPU) UTP Bundle 2
Scale units cannot change dynamically. If you want to use a different scale unit after deploying
the NVAs, you must redeploy the NVAs.
Microsoft does not currently support use of FortiGate pay as you go (PAYG) SKUs.
Deployment requires the following:

Fortinet Inc.
Deployment overview
l Two full FortiGate licenses (bring your own license (BYOL) or Flex-VM)
l One fully licensed FortiManager instance (PAYG or BYOL)
You can obtain licenses for the BYOL licensing model through any Fortinet partner. If you do not have a partner, contact
azuresales@fortinet.com for assistance in purchasing a license.
For more information on vWAN and routing infrastructure pricing, see Virtual WAN pricing.

Fortinet Inc.
Deployment procedures
Deployment requires the following steps:

1. Use Azure Marketplace and FortiManager to create a vWAN, vWAN hub, and deploy FortiGate NVAs to the
vWAN hub. See Deploying vWAN on Azure on page 13.
This step sets up the vWAN and FortiGate NVAs in the vWAN hub and adds a license to the FortiGate NVAs. The
FortiGate NVAs will be the hub in our SD-WAN configuration.
This document does not describe how to deploy the FortiGate devices (either cloud or on-premise) that will be used
for the branch devices (or spokes) in the SD-WAN network. See Prerequisites for SD-WAN configuration on page
11.
2. Use FortiManager to configure SD-WAN on the deployed FortiGate NVAs (the hub) and deployed branch
FortiGates (the spokes). See Configuring SD-WAN on FortiManager on page 27 .
This step adds the SD-WAN overlay of IPsec tunnels and BGP peering between the FortiGate NVA and the branch
FortiGates. This configuration is sometimes called SD-WAN on-ramp.
Deploying vWAN on Azure
Following is a summary of the steps required to deploy virtual WAN on Azure:

1. On Azure Marketplace, deploy Azure vWAN. See Creating the Azure virtual WAN on page 14.
2. On Azure Marketplace, deploy Azure vWAN hub. See Creating the virtual WAN hub on page 14.
3. On the Azure portal, peer an Azure virtual network (VNET) to the virtual WAN hub. See Peering a vNET to the virtual
WAN hub on page 15.
4. On Azure Marketplace, deploy FortiGates network virtual appliances (NVAs). See Deploying FortiGate NVAs in
vWAN hub on page 16.
5. On FortiManager, authorize the FortiGate NVAs for management by FortiManager. See Authorizing FortiGate
NVAs on FortiManager on page 18.
When managing branch devices for SD-WAN, ensure that branch devices are in a separate device group in
FortiManager. See Adding FortiGate branch devices to device groups on page 27.
6. On FortiManager, apply the license to the FortiGate NVAs. See Licensing FortiGate NVAs on FortiManager on page
19.
7. On FortiManager, configure the static routes for each FortiGate NVA. SeeConfiguring static routes and enabling
BGP on FortiGate NVAs on page 21.
8. On FortiManager, configure remote logging for the FortiGate NVAs. See Configuring remote logging on NVA
FortiGates on page 25.
9. On FortiManager, enable FGSP on the FortiGate NVAs. See Configuring FGSP on FortiGate NVAs on page 24.

Fortinet Inc.
Creating the Azure virtual WAN
To create the Azure virtual WAN:
1. On Azure Marketplace, create a virtual vWAN.
2. Click Review + create.
Creating the virtual WAN hub
After you create the virtual WAN, you are ready to create the virtual WAN hub.
The virtual WAN hub takes approximately 30 minutes to fully complete provisioning. Ensure
the virtual WAN hub is successfully provisioned before proceeding to the next step of Peering
a vNET to the virtual WAN hub on page 15.

Fortinet Inc.
To create the virtual WAN hub:
1. On Azure Marketplace, go to the newly created virtual WAN.

2. On the left navigation bar, go to Connectivity, and click Hubs > New Hub.
3. Click Review + create to create the hub.

4. Wait until the virtual WAN hub is fully provisioned before proceeding to the next step.
It may take approximately 30 minutes to fully provision the virtual WAN hub.
Peering a vNET to the virtual WAN hub
Peer an Azure VNET to the virtual WAN hub. The VNET serves as a host for protected resources.
After the vNET is peered, all or selected traffic can be forwarded to the FortiGate NVA instances for inspection.

Fortinet Inc.
To peer a vNet to the vWAN hub:
1. On the Azure portal, go to the Azure vWAN.

2. On the left navigation bar, go to Connectivity, click Virtual Network Connections > Add Connection.
3. Click Create.
Deploying FortiGate NVAs in vWAN hub
In Azure Marketplace, deploy FortiGate network virtual machines (NVAs) in the virtual WAN hub.
The Scale Unit option controls the type and number of FortiGate NVAs created. See also Order types in vWAN on page
11.
The FortiGate NVAs are displayed as a group in FortiManager, and the name of the group in FortiManager is based on
the FortiGate Name Prefix option in Azure.

Fortinet Inc.
To deploy FortiGate NVAs in vWAN hub:
1. On Azure marketplace, deploy the aforementioned vWAN NVA application and set the following options:
2. Click Next: FortiGate Secure SDWAN in Virtual WAN, and set the following options:

Fortinet Inc.
Scale units cannot change dynamically. If you want to use a different scale unit after
deploying the NVAs, you must re-deploy the NVAs.
Each scale unit creates two FortiGate NVAs in the Microsoft Azure VWAN hub.
For more information about scale units, see Order types in vWAN on page 11.
The FortiManager IP address must be public.
3. Make a note of the FortiGate BGP ASN setting. The default is 64512.
4. Click Review + Create.
5. Click Create.
Authorizing FortiGate NVAs on FortiManager
FortiGate NVAs are grouped together in FortiManager based on the FortiGate Name Prefix specified in Azure when you
deployed the FortiGates.
Before you can use FortiManager to configure the FortiGate NVAs, you must authorize FortiManager to manage the
devices.
On FortiManager, ensure you are using ADOM version 7.2 or later. The authorized FortiGate NVAs must be placed in
ADOM version 7.2 because ADOM version 7.2 is required to automatically group the FortiGate NVAs into a device
group.
To authorize FortiGate NVAs on FortiManager:
1. On FortiManager in the root ADOM, go to Device Manager > Device & Groups, and select the Unauthorized
Devices list. The FortiGate NVAs are displayed in the content pane.
2. In the content pane, select all FortiGate NVAs, and click Authorize.
The Authorize Device dialog box is displayed. The FortiGate NVAs are grouped together with the name of the
NVA from Azure. In the following example from FortiManager, the device name is demovwan-xz3czsyqfit200000.

Fortinet Inc.
The following example in Azure shows the name demovwan-k3q3jr36urmi6.
3. Select an ADOM that is version 7.2, if ADOMs are enabled, and click OK. The authorized device group of FortiGates
is displayed.
Depending on the ADOM selected during authorization, you may need to switch to a ADOM to see the authorized
devices.
Licensing FortiGate NVAs on FortiManager
The authorized FortiGate NVAs are unlicensed, and you can use FortiManager to add a license file to each FortiGate
NVA.
This example shows how to add a BYOL license.
To license FortiGate NVAs on FortiManager:
1. Locate your FortiGate virtual machine license file.

2. On FortiManager, go to Device Manager > Device & Groups, and select the device group. The FortiGate NVAs are
displayed in the content pane.

Fortinet Inc.
3. Right-click a FortiGate NVA, and select Install VM License.
The Install VM License dialog box is displayed.
4. Select License File, drag and drop the license file on the Add files by drag & drop here or Add Files box, and click
OK. The Upload License dialog box is displayed.
5. After the license upload completes, click Close.

6. Repeat this procedure for each FortiGate NVA in the device group.

Fortinet Inc.
7. After adding a license for each FortiGate NVA in the device group, click a FortiGate NVA in the tree menu to display
the License Information widget on the Dashboard, and verify the license is uploaded.
Configuring static routes and enabling BGP on FortiGate NVAs
Following is an overview of how to configure static routes:

1. On the Azure portal, confirm and note the private address space for the virtual WAN hub. See Confirming the private
address space of the vWAN hub on page 21.
2. On FortiManager, retrieve subnet information from the managed FortiGate NVAs. See Retrieving subnet
information from FortiGate NVAs on page 22.
3. On each FortiGate NVA, configure the static route. See Configuring the static route on each FortiGate NVA on page
23.
4. On FortiGate, verify BGP communication between FortiGate NVAs. See Verifying BGP communication between
FortiGate NVAs on page 23.
Confirming the private address space of the vWAN hub
The private address space of the vWAN hub is needed to create a summary route from the private address range to the
secondary interfaces of the FortiGate NVAs, unless there is a more specific, connected route to establish BGP peering.
The BGP peers are already configured and ready to go online after the route is enabled.

Fortinet Inc.
To confirm the private address space of the vWAN hub:
1. On Azure portal, select the virtual WAN hub.

2. On the Overview pane, note the Private address space.
Retrieving subnet information from FortiGate NVAs
We will connect to the CLI for one of the managed FortiGate NVAs and look at port2 to locate and note the first IP
address of the subnet on the FortiGate. The first IP address will be the local gateway for communicating with the virtual
WAN hub routers.
To retrieve the subnet information from FortiGate NVAs:
1. From FortiManager, connect to the CLI for one of the FortiGates by using SSH:
a. Go to Device Manager > Device & Groups, and select a FortiGate NVA in the tree menu. The Device
Dashboard for the selected device is displayed.
b. On the Dashboard > Summary pane, go to the System Information widget, and click the Connect to CLI via
SSH button.
The Connect CLI via SSH dialog box is displayed.

Fortinet Inc.
c. In the Admin Name box, type the administrator name used to deploy the FortiGate NVA on Azure, and click OK.
The CLI Console of <device name> dialog box is displayed.
d. Type the password used to deploy the FortiGate NVA on Azure, and press Enter.
2. In the CLI console, run the get system interface command, and look at the results for port2.
In the following example, the first IP of the subnet is 10.80.112.1.
(In this example, the administrator's IP address is 10.80.112.5, and they have a /25 mask, which makes the network
address 10.80.112.0, and the first IP, which Azure assigns to the virtual switch, is 10.80.112.1)
Configuring the static route on each FortiGate NVA
On each FortiGate VM, configure static routing to the virtual hub routers through the virtual switch. While creating static
routes, we also need to a route to respond to the Azure load balancer probes, which come in from IP address
168.63.129.16.
To configure the static route on each FortiGate NVA:
1. From FortiManager, connect to the CLI for one of the FortiGates by using SSH.
2. Run the following commands on a FortiGate NVA in the device group:
config router static
edit 0
set dst 10.80.0.0/16
set gateway 10.80.112.1
set device port2
next
edit 0
set dst 168.63.129.16/32
set gateway 10.80.112.1
set device port2
end
3. Repeat the commands on each FortiGate NVA in the device group.
Verifying BGP communication between FortiGate NVAs
After configuring the static route on all FortiGate NVAs, BGP peering is automatically enabled, and you can verify
BGP communication.

Fortinet Inc.
To verify BGP communication between FortiGate NVAs:
1. On the FortiGate NVA, run the get router info bgp summary command.
If configured correctly, the address space from the Peering a vNET to the virtual WAN hub on page 15 section
should be propagated as well.
2. Run the get router info routing-table bgp command:
Configuring FGSP on FortiGate NVAs
In certain configurations, such as, redundant IPsec tunnels, traffic flow may return asymmetrically. When traffic returns
asymmetrically, an initial connection could come in on one FortiGate, but the return packets might be sent to the other
FortiGate. Supporting asymmetrical traffic requires FortiGate Session Life Support Protocol (also known as FGSP),
which is a layer 3 session synchronization feature, to be enabled. Further, we must allow for rerouting of packets from
one FortiGate to another in cases where IPS or other deep packet inspection is required.
As an alternative to enabling FGSP, Source NAT (SNAT) can be used instead. For more
information about Source NAT, see the FortiManager Administration Guide > SNAT Policy.
For more information about FGSP and the available options, see the FortiOS Administration
Guide > FGSP.
To configure FGSP:
1. On FortiManager, go to Device Manager > Device & Groups, and select the device group for the FortiGate NVAs.
The FortiGate NVAs in the group are displayed in the content pane.
2. In the content pane, select all devices in the group.

Fortinet Inc.
3. Right-click the selected devices, and select FGSP Configuration from the More menu.
4. Specify the configuration, and click OK
The FGSP Column displays Configured for both devices.
5. Note the information in the Device Name and IP Address columns of both FortiGate NVAs.
Configuring remote logging on NVA FortiGates
You must set up remote logging on the NVA FortiGates, as you cannot attach local logging disks to them.
To configure remote logging on NVA FortiGates:
1. In FortiManager, go to Device Manager > Provisioning Templates > System Templates.

2. Create a new template or edit an existing template for logging.
3. From the Toggle Widgets dropdown list, select Log Settings.

Fortinet Inc.
4. Select the desired logging destination. This example selects the FortiManager as the logging destination.
If using FortiManager as a remote logging destination, enable System Settings >

Dashboard > FortiAnalyzer Features.
For information on remote logging via FortiManager, see System Templates.
5. Enable Reliable Logging to FortiAnalyzer.
Ensure to enable this option before applying the changes to the template.
6. Select the required logging parameters, then click Apply.
This example shows logging to a local FortiManager. To use this feature, enable System
Settings > System Information > FortiAnalyzer Features.
7. Assign the template to the NVA FortiGates:

a. On the System Templates page, select the new logging template, then click Assign to Device/Group.
b. In the Assign to Devices/Groups dialog, select the NVA FortiGates, then click OK.
8. Install device settings:
a. From Device Manager > Provisioning Templates > System Templates, click Install Wizard.
b. Install device settings only.
c. Select the devices to log remotely, then click Next > Install.

Fortinet Inc.
9. After FortiManager installs device settings to the FortiGate instances, device logs populate on the selected logging
destination. To generate logs for verification, go to the NVA FortiGate CLI from FortiManager and run diagnose
log test. In the example, you can find logs in FortiManager in Log View > Traffic.
Adding FortiGate branch devices to device groups
Branch FortiGates are meant to be in the same region. It is recommended to create a device group in FortiManager for
the branch devices before utilizing the SD-WAN Overlay template to configure SD-WAN. With device groups, you can
add additional branch devices to the group, and the newly added devices will automatically inherit the configuration for
SD-WAN.
Even if you have only one FortiGate as the branch device, add the device to a unique device group in FortiManager.
In Device Manager, use the Device Group menu in the banner to create a new device group.
In the following example, the device group named Branches contains two branch FortiGates:
Configuring SD-WAN on FortiManager
After the FortiGate NVAs for the vWAN hub and FortiGate units for branch locations are configured and managed by
FortiManager, you are ready to use FortiManager to configure a new SD-WAN region. FortiGate NVAs are the hub, and
branch FortiGates are the spokes in the SD-WAN configuration.
See also Prerequisites for SD-WAN configuration on page 11.
Following is a summary of the FortiManager steps required to configure a new SD-WAN region with Azure vWAN:
1. Plan your network. See Planning the network on page 28.
2. Create an SD-WAN overlay template. See Creating an SD-WAN overlay template on page 28.
3. Verify the SD-WAN overlay template creation. See Verifying the SD-WAN overlay template on page 33.
4. Edit the SD-WAN template for branch devices to modify interface members. See Editing the SD-WAN template for
branch devices on page 35.

Fortinet Inc.
5. Configure branch to vWAN hub rules. See Configuring branch to vWAN rules on page 36.
6. Verify template group content. See Verifying the template group includes the SD-WAN template on page 37.
7. Assign metadata values to each branch device. See Assigning metadata values to branch devices on page 38.
8. Create a CLI template to address Azure DHCP assignments. See Creating a CLI template for branch devices with
DHCP gateway assignments on page 39.
9. Add Azure BGP neighbors. See Adding Azure router BGP neighbors on page 40.
10. Create normalized interfaces. See (Optional) Creating normalized interfaces on page 41.
11. Create policy packages and policies. See (Optional) Creating policy packages on page 42.
12. Ensure the installation targets for the policy packages are correct. See Checking installation targets for policy
packages on page 46.
13. Install policy packages. See Installing policy packages to devices on page 47.
Planning the network
Following are the settings chosen for this deployment, such as IP networks, BGP AS number, performance SLA criteria,
and so on:
1. Overlay network address space:
a. This address space is used for the IP addressing of all hub and branch devices.
b. The default 10.10.0.0/16 is used.
2. Loopback IP address space:
a. These addresses are used for performance SLAs, router IDs, and other admin operations.
b. The default 172.16.0.0/16 is used.
3. Autonomous system number for BGP:
a. A private number is used and must remain exclusively for this SD-WAN BGP configuration.
b. You must use the same ASN used in Deploying FortiGate NVAs in vWAN hub on page 16. In this example, the
ASN is 64512.
The deployment example in this guide uses the following ports and IP addresses:
l Azure vWAN hub consists of two FortiGate NVAs.
l vWAN FortiGate NVAs have ‘port1’ configured for external access.
l IP and routing are retrieved through Azure DHCP.

l vWAN FortiGate NVAs will advertise port2 to directly connected network and all routes
received from Azure vWAN services.
l Azure private VNET is advertised through Azure vWAN BGP services.
l Branch devices are connected to ISP1 on port1.
Creating an SD-WAN overlay template
This section describes how to use the SD-WAN overlay template to configure the overlay network.
The SD-WAN overlay template supports metafields for each input box that displays a
magnifying glass.
For more information, see the FortiManager 7.2 Administration Guide.

Fortinet Inc.
To create an SD-WAN overlay template:
1. In FortiManager, go to Device Manager > Provisioning Templates > SD-WAN Overlay Templates.

2. Click Create New. The Create New SD-WAN Overlay Template dialog box is displayed.
3. Enter a name and description for the template, and click OK.
The Region Settings pane is displayed.

4. Set the region settings:
a. Select Dual Hub (Primary & Primary).
b. Expand Advanced, and modify the default IP address scheme for loopback and overlay networks, BGP-AS
number, and to enable AD-VPN as desired.
Ensure that you use the same BGP-AS Number as the following step: Deploying FortiGate NVAs in vWAN hub
on page 16.
Ensure the Overlay Network is unique and does not conflict with the existing subnets.

Fortinet Inc.
c. Click Next.The Role Assignment pane is displayed.

5. Set the role assignment:
a. Set Primary HUB to demovwan-k3q3jr36urmi6000000.
Ensure that you select the FortiGate NVA devices as the primary and secondary hubs.
b. Set Secondary HUB to demovwan-k3q3jr36urmi6000001.
c. Set Device Group Assignment to Branches.
Branch FortiGates must be added to a device group, even if the device group contains only one FortiGate, to
be selected in the wizard. See Adding FortiGate branch devices to device groups on page 27.
d. Click Next. The Network Configuration pane is displayed.

6. Set the network configuration for the primary hub device (demovwan-k3q3jr36urmi6000000):
a. Under Primary HUB, set WAN Underlay 1 to port1.
b. Select Override IP, and specify 52.161.71.122, which is the public IP address of Azure FGT 1 (demovwan-
k3q3jr36urmi6000000).
The override IP address is the public IP address of the device name in the Primary Hub field. You can obtain
the IP addresses from Device Manager > Device & Groups pane.

Fortinet Inc.
c. Set Network Advertisement to Static.
When entering the port name, it is case sensitive and must match the port as written on
the FortiGate exactly.
Select Private Link if the port is on a private circuit, and you do not want to create an
overlay network utilizing this link.
Select Override IP if you want to manually input an IP address that remote branches
will connect to. This is commonly used in public cloud providers where interfaces have
private IP address or other NAT’d environments.
7. Set the network configuration for the second primary hub device (demovwan-k3q3jr36urmi6000001):
a. Under Primary HUB, set WAN Underlay 1 to port1.
b. Select Override IP, and specify 13.78.141.94, which is the public IP address of Azure FGT 2 (demovwan-
k3q3jr36urmi6000001).
c. Set Network Advertisement to Static.

Fortinet Inc.
8. Set the network configuration for the branch device:

a. Under Branch, set WAN Underlay 1 to port1.
b. Set Network Advertisement to Connected, and select port2.
The network advertisement interface will be advertised to the rest of the SD-WAN
region. In this example, port3 is our LAN interface for each branch, and so will
advertise the branch’s LAN subnet.
9. Set the SD-WAN template options:

a. Enable Add Overlay Objects to SD-WAN Template.
b. In the list, click Create New to create a new SD-WAN template with default settings named Branch.
No configuration of the template is needed at this time. In this example, the SD-WAN template is named
SDwan-Branch.
c. Enable Add Overlay Interfaces and Zones.
d. Enable Add Healthcheck Servers for Each Hub as Performance SLA.

Fortinet Inc.
e. Click Next.The Summary pane is displayed.
10. Click Finish to save the template.
Verifying the SD-WAN overlay template
After you correctly configure the SD-WAN Overlay template, a number of templates are created. This topic describes
how to check several locations to verify that all templates have been created.

Fortinet Inc.
To verify the SD-WAN Overlay template:
1. In FortiManager, go to Device Manager > Provisioning Templates > Template Groups.

2. Verify the following templates are created:
3. Go to Provisioning Templates > IPsec Tunnel Templates, and verify the following templates are created:
4. Go to Provisioning Templates > BGP Templates, and verify the following templates are created:

Fortinet Inc.
5. Go to Provisioning Templates > CLI Templates, and verify the following templates are created:
Editing the SD-WAN template for branch devices
You must edit the SD-WAN template for branch devices to adjust the interface members for HUB1.
The HUB1 SD-WAN zone refers to both the FortiGate NVA interfaces. Both IPsec tunnels are added under the same
hub to inform the branch devices of the destination, which allows appropriate load balancing.
To edit the SD-WAN template for branch devices:
1. In FortiManager, go to Device Manager > Provisioning Templates > SD-WAN Templates.

2. Double-click the SD-WAN template named SDwan-Branch to open it for editing.
3. Move both interfaces to the same SD-WAN zone. Here the SD-WAN zone is called HUB1.
a. Select HUB1, and click Edit.
b. Select both VPN interfaces, and click OK.

The selected interfaces are displayed for HUB1.

Fortinet Inc.
Configuring branch to vWAN rules
In this section we are going to edit the SD-WAN template to create a new performance SLA target as well as new SD-
WAN rules.
To configure branch to vWAN rules:
1. In FortiManager, go to Provisioning Templates > SD-WAN Templates.

2. Double-click the Branch_SDWAN template to open it for editing.
3. Create a rule for traffic from branch devices to Azure VNET:
a. Under SD-WAN Rules, click Create New. The Create New SD-WAN Rule pane opens.
b. Set the following options, and click OK:
Name Azure_Traffic
Source Branch Subnet (Create a new Address Object.)
Destination Azure VNET subnet (Create a new Address Object.)
You can create a new firewall address by clicking the + icon on the Address field.
The required firewall addresses are selected.

Fortinet Inc.
c. On the Lowest Cost (SLA) tab, set the following options, and click OK.
The SD-WAN rule is created.

4. Click OK to save the SD-WAN template.
Verifying the template group includes the SD-WAN template
Ensure the SD-WAN template is added to the template group.

Fortinet Inc.
To verify the template group includes the SD-WAN template:
1. In FortiManager, go to Provisioning Templates > Template Groups.

2. Double-click the branch template group to open it for editing.
In this example, the template group name is vWAN-Region1_BRANCH.
3. Ensure that the Provisioning Templates list displays the SD-WAN template created earlier.
Assigning metadata values to branch devices
Each branch must have a unique branch_id mapping value in order to successfully utilize the
SD-WAN overlay provisioning template.
To assign meta data values to branch devices:
1. In FortiManager, go to Device Manager > Device & Groups, and expand Managed FortiGates.
2. Set the variable for Branch1:
a. In the content pane, right-click Branch1 and select Edit Variable Mapping. The Edit Metadata Variable Mapping
dialog box is displayed.
b. Click the Mapping Value cell, type 1, and select the checkmark to set the value.
The value is set.
c. Click OK to save the changes.

3. Repeat to set Branch2 to 2.

Fortinet Inc.
Creating a CLI template for branch devices with DHCP gateway assignments
If branch devices have WAN ports configured by DHCP, certain SD-WAN overlay
configurations might render the branch devices temporarily unusable. You can create a
CLI template to avoid the issue.
To create a CLI template for branch devices with DHCP gateway assignments:
1. In FortiManager, go to Device Manager > Provisioning Templates > CLI Templates.

2. Click Create New > CLI Template.
3. Add the script:
a. In the Script Details box, add the following command:
config router static
edit 1
set distance 1
set sdwan-zone "WAN1"
next
end
b. Click OK to save the template.

4. Add the CLI template to the template group for branch devices.

Fortinet Inc.
Adding Azure router BGP neighbors
In this step we will add our BGP neighbors in Azure vWAN. The BGP neighbors distribute all the necessary routes inside
Azure, and then advertise them to the rest of the SD-WAN region.
The BGP neighbors must be added to a CLI template for execution. See also Verifying BGP communication between
FortiGate NVAs on page 23.
FortiManager purges configuration before installing the SD-WAN Overlay template for the first
time. This step replaces critical BGP configuration to counter the purge. See also Appendix A -
Purged configuration information on page 50.
Following is a summary of the procedure:

1. In Azure portal, obtain the ASN and IP address numbers for the BGP peers. See Obtaining ASN and IP address
numbers on page 40.
2. In FortiManager, edit the BGP template to include the ASN and IP address numbers. See Editing the BGP template
on page 40.
Obtaining ASN and IP address numbers
We need to locate the ASN and IP numbers for the vWAN hub. Then we can use the numbers to configure
BGP neighbors for both hubs by using the BGP template in FortiManager.
To obtain ASN and IP address numbers:
1. In the Azure portal, go to the virtual WAN hub. See Creating the virtual WAN hub on page 14.
2. In the left navigation, select the BGP Peers section to view the ASN and IP numbers.
Editing the BGP template
In this section, we edit the BGP template to add the ASN and IP address numbers from the Azure vWAN hub.
Azure accepts the configuration set in the Advanced section of the BGP route associations on
FortiManager when the configuration is pushed.
To edit the BGP template:
1. Go to Device Manager > Provisioning Templates > BGP Templates.

2. Double-click the *_HUB1_BGP or *_HUB2_BGP template to open it for editing.
3. Under Neighbors, click Create New Neighbor.

Fortinet Inc.
4. Set the following options:

a. Set IP and Remote AS to the numbers obtained from the Azure portal for the vWAN hub.
b. Set Interface to port2.
c. Under Advanced Options set ebgp-enforce-multihop to ON.
d. Click OK to save the changes.

5. Repeat this procedure for both neighbor IP addresses on both HUBs.
(Optional) Creating normalized interfaces
The SD-WAN overlay wizard automatically generates normalized interfaces that this guide
demonstrates.
Because the policy package uses interface objects instead of directly referring to the interface, we must link the interface
objects with the actual interfaces on any/all devices. We do this by creating normalized interfaces with per-platform
mappings.
To create normalized interfaces:
1. In FortiManager, go to Policy & Objects > Object Configurations > Normalized Interface.

2. In the content pane, click Create New.
The Create New Normalized Interface pane opens.
3. Set Name to HUB1.
4. Under Per-Platform Mapping, click Create New. The Create New Per-Platform Mapping dialog box is displayed.
5. Set the following options, and click OK:
Matched Platform Select all.
Mapped Interface Name Type HUB1.
The mapped interface is case sensitive. It must exactly match the interface on the target
FortiGate.

Fortinet Inc.
The per-platform mapping is created.

6. Repeat this procedure to the following per-platform mappings:
Normalized Interface Matching Type Mapped Interface/Zone
HUB1 Matched Platform: all HUB1
HUB2 Matched Platform: all HUB2
VPN1 Matched Platform: all VPN1
WAN1 Matched Platform: all WAN1
HUB-Loopback Mapped Device: HUB1 HUB1-Lo
Mapped Device: HUB1 HUB2-Lo
LAN Matched Platform: all port3
Mapped Device: Cloud-Gateway port2
Branches Matched Platform: all Branches
All the per-platform mappings are created:
If you are using different ports for LAN between branches, you can leverage per-device
mapping to override the matched platform: all.
(Optional) Creating policy packages
The following policies are provided to allow traffic to flow between branches and hub. They
require further security configuration to secure the communication.
Following is a summary of how to create the policy package:

1. Create a policy package for branch devices. See Creating the branch policy package and policies on page 42.
These firewall policies leverage the SD-WAN zones and interfaces.
2. Create a policy package for the Azure hub. See Creating the Azure hub policy package and policies on page 44.
Creating the branch policy package and policies
To create the branch policy package and policies:
1. In FortiManager, go to Policy & Objects.

2. Create a policy package named Branches:
a. From the Policy Package menu, select New.
The Create New Policy Package dialog box is displayed.
b. Set name to Branches, and click OK.
The policy package named Branches is created.

Fortinet Inc.
3. In the branches policy package, create a firewall policy named Branch to Azure:
a. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
Name Branch to Azure
Incoming Interface LAN
Outgoing Interface HUB1, HUB2
IPv4 Source Address Branch network
IPv4 Destination Address Datacenter LAN1, Cloud LAN1
Action Accept
You may need to split the Branch to Azure rule into individual rules for each hub, if the
security needs for each hub differ, such as permitted services and security profiles.
The firewall policy is created.

4. In the branches policy package, create a firewall policy named Direct Internet Access:
a. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
Name Direct Internet Access
Incoming Interface LAN
Outgoing Interface WAN1
IPv4 Source Address Branch network
IPv4 Destination Address all
Action Accept
NAT Enable

5. Assign the branches policy package to the branch device group:
a. On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
b. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
c. In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected
Entries list.
d. Click OK.
The installation target for the branches policy package is the Branches device group.

Fortinet Inc.
Creating the Azure hub policy package and policies
To create the Azure hub policy package and policies:
1. In FortiManager, go to Policy & Objects.

2. Create a policy package named HUB:
a. From the Policy Package menu, select New.
The Create New Policy Package dialog box is displayed.
b. Set name to HUB, and click OK.
The policy package named HUB is created.
3. In the HUB policy package, create a firewall policy named SLA-HealthCheck :
a. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
Name SLA-HealthCheck
Incoming Interface Branches
Outgoing Interface HUB-Loopback
IPv4 Source Address Overlay Tunnels, 10.10.0.0/16 (create new address object)
IPv4 Destination Address all
Action Accept

Fortinet Inc.
4. In the HUB policy package, create a firewall policy named Branch to Azure:
a. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
Name Branch to Azure
Incoming Interface Branches
Outgoing Interface LAN
IPv4 Source Address Branch Network
IPv4 Destination Address Azure LAN
Action Accept

5. Assign the HUB policy package to the hub devices:
a. On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
b. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.

Fortinet Inc.
c. In the Available Entries list, select the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices, and
click the right arrow (>) to move them to the Selected Entries list.
d. Click OK.
The installation target for the HUB policy package is the FGT-3lxk3dptizwra000000 and FGT-
3lxk3dptizwra000001 devices.
Checking installation targets for policy packages
Ensure that installation targets for the required policy package include the branch group and FortiGate NVA group.
To check installation targets for policy packages:
1. Go to Policy & Objects > Policy Packages, and locate the policy package.
2. Click Installation Targets and click Edit .
The Edit Installation Targets dialog box is displayed.

Fortinet Inc.
3. Ensure the branch group and NVA group are selected as targets, and click OK.
Installing policy packages to devices
The initial push of the SD-WAN overlay template configuration purges certain, existing
FortiGate configurations. For more details, see Appendix A - Purged configuration information
on page 50.
To install policy packages to devices:
1. Go to Device Manager > Device & Groups, and select the device group for the FortiGates.
2. Click Install Wizard. The Install Wizard dialog box is displayed.
3. Select Install Policy Package & Device Settings, select the policy package, and click Next.

Fortinet Inc.
4. Select the required devices, and click Next.
5. Click Install Preview to review the settings.

6. Click Install.
Appendix A - Purged configuration information
The following table lists the FortiOS CLI configuration elements purged from Branch FortiGate devices when
FortiManager pushes the initial SD-WAN overlay configuration. See also Installing policy packages to devices on page
47.
Configuration Element Description FortiOS 7.2 CLI Reference
router bgp > neighbor BGP router neighbor associations config router bgp
webfilter ftgd-local-cat FortiGuard web filter local categories config webfilter ftgd-local-cat
vpn ssl web portal SSL web portal configuration config vpn ssl web portal
vpn ssl web host-check-software SSL-VPN host check software config vpn ssl web host-check-
software
dlp sensitivity Data Leak Prevention sensitivity config dlp sensitivity
dlp filepattern Data Leak Prevention file patterns config dlp filepattern
used for blocking
firewall shaper traffic-shaper Firewall traffic shaping config firewall shaper traffic-shaper
firewall addrgrp IPv4 Address Groups for Firewall config firewall addrgrp
policies
user local Local user configuration config user local
(Optional) SD-WAN self-healing with BGP
In some environments, it may be beneficial to enable BGP signaling between branch and hub. This allows the branch to
notify other devices in the SD-WAN region when interfaces are degraded or out of SLA.
For more information, see the SD-WAN Self-Healing with BGP section of the SD-WAN Multi-Hub (Primary/Primary)
Deployment Guide.
Additional information can be found in the SD-WAN Self-Healing with BGP article.

Fortinet Inc.
More information
This section identifies the products and versions used in this document and includes links to Fortinet documentation as
well as Microsoft Azure documentation.
Products used
The following product models and firmware were used in this guide:
Product Model Firmware
FortiGate (branch) FortiGate-VM64 7.2.2 and later
FortiGate (Azure) FortiGate-VM64-AZURE 7.2.2 and later
FortiManager FortiManager-VM64-KVM 7.2.1 and later
Documentation references
Feature documentation
l SD-WAN Architecture for Enterprise > Multiple datacenters (primary/secondary gateways)
Solution hub
l https://docs.fortinet.com/sdwan/7.2
External resources:
l What is Azure Virtual WAN
l Security Provided by NVA firewalls

Fortinet Inc.
Appendix A - Purged configuration information
The following table lists the FortiOS CLI configuration elements purged from Branch FortiGate devices when
FortiManager pushes the initial SD-WAN overlay configuration. See also Installing policy packages to devices on page
47.
Configuration Element Description FortiOS 7.2 CLI Reference
router bgp > neighbor BGP router neighbor associations config router bgp
webfilter ftgd-local-cat FortiGuard web filter local categories config webfilter ftgd-local-cat
vpn ssl web portal SSL web portal configuration config vpn ssl web portal
vpn ssl web host-check-software SSL-VPN host check software config vpn ssl web host-check-
software
dlp sensitivity Data Leak Prevention sensitivity config dlp sensitivity
dlp filepattern Data Leak Prevention file patterns config dlp filepattern
used for blocking
firewall shaper traffic-shaper Firewall traffic shaping config firewall shaper traffic-shaper
firewall addrgrp IPv4 Address Groups for Firewall config firewall addrgrp
policies
user local Local user configuration config user local

Fortinet Inc.
www.fortinet.com
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate and FortiManager-7.2-Azure vWAN Deployment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate and FortiManager-7.2-Azure vWAN Deployment

Uploaded by

Copyright:

Available Formats

Azure vWAN Deployment

FortiGate and FortiManager 7.2

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

February 16, 2023

FortiGate and FortiManager 7.2 Azure vWAN Deployment 3

Date Change Description

2022-10-06 Initial release.

2022-11-25 Updated Configuring FGSP on FortiGate NVAs on page 24.

2022-11-30 Updated (Optional) Creating policy packages on page 42.

2023-01-11 Updated Prerequisites for Azure virtual WAN on page 10.

2023-02-16 Updated Microsoft Azure vWAN and NVA overview on page 6.

FortiGate and FortiManager 7.2 Azure vWAN Deployment 4

About this guide

About the 4-D documentation series

FortiGate and FortiManager 7.2 Azure vWAN Deployment 5

Design concept and considerations

Microsoft Azure vWAN and NVA overview

FortiGate and FortiManager 7.2 Azure vWAN Deployment 6

For more information, see What is Azure Virtual WAN?

FortiGate and FortiManager 7.2 Azure vWAN Deployment 7

Fortinet deployment overview

This deployment guide describes the provisioning steps required to:

FortiGate and FortiManager 7.2 Azure vWAN Deployment 8

FortiGate and FortiManager 7.2 Azure vWAN Deployment 9

For more information, see Multiple Datacenters for Enterprise (primary/secondary).

Prerequisites for Azure virtual WAN

l Microsoft Azure account with permissions to deploy/modify resources

When selecting a firmware to use in your deployment, it is important to reference the

FortiGate and FortiManager 7.2 Azure vWAN Deployment 10

Prerequisites for SD-WAN configuration

l LAN and other directly connected networks have been assigned.

Order types in vWAN

Scale units Bandwidth Suggested license Security service Instance count

2 1 Gbps FortiGate-VM (2 CPU) UTP Bundle 2

4 2 Gbps FortiGate-VM (4 CPU) UTP Bundle 2

10 5 Gbps FortiGate-VM (8 CPU) UTP Bundle 2

20 10 Gbps FortiGate-VM (16 CPU) UTP Bundle 2

Deployment requires the following:

FortiGate and FortiManager 7.2 Azure vWAN Deployment 11

FortiGate and FortiManager 7.2 Azure vWAN Deployment 12

Deployment requires the following steps:

Deploying vWAN on Azure

Following is a summary of the steps required to deploy virtual WAN on Azure:

FortiGate and FortiManager 7.2 Azure vWAN Deployment 13

Creating the Azure virtual WAN

To create the Azure virtual WAN:

1. On Azure Marketplace, create a virtual vWAN.

2. Click Review + create.

Creating the virtual WAN hub

FortiGate and FortiManager 7.2 Azure vWAN Deployment 14

To create the virtual WAN hub:

1. On Azure Marketplace, go to the newly created virtual WAN.

3. Click Review + create to create the hub.

Peering a vNET to the virtual WAN hub

FortiGate and FortiManager 7.2 Azure vWAN Deployment 15

To peer a vNet to the vWAN hub:

1. On the Azure portal, go to the Azure vWAN.

Deploying FortiGate NVAs in vWAN hub

FortiGate and FortiManager 7.2 Azure vWAN Deployment 16

To deploy FortiGate NVAs in vWAN hub: