├── .gitignore ├── 4D-NGFW ├── NGFW-Demo-Config │ ├── NGFW_Demo.txt │ └── README.MD ├── NGFW-Terraform │ ├── Logical-Topology.png │ ├── Physical-Topology.png │ ├── ngfw_admin.tf │ ├── ngfw_global.tf │ ├── ngfw_interfaces.tf │ ├── ngfw_main.tf │ ├── ngfw_password_policy.tf │ ├── ngfw_policy.tf │ ├── ngfw_profile_AC.tf │ ├── ngfw_profile_AV.tf │ ├── ngfw_profile_DNS.tf │ ├── ngfw_profile_IPS.tf │ ├── ngfw_profile_WF.tf │ ├── ngfw_radius.tf │ ├── ngfw_services.tf │ ├── ngfw_system.tf │ ├── ngfw_users.tf │ ├── ngfw_wireless.tf │ ├── ngfw_zaddresses.tf │ ├── readme.md │ ├── terraform.tfvars │ └── variables.tf └── README.MD ├── 4D-SDWAN ├── 7.0 │ ├── Dual hub │ │ ├── Branches │ │ │ ├── README.md │ │ │ ├── dual_hub_Branch1_SD-WAN_Overlay.txt │ │ │ └── dual_hub_Branch2_SD-WAN_Overlay.txt │ │ ├── DH_SD_overlay_bgp.drawio │ │ ├── DH_SD_overlay_bgp.png │ │ ├── DH_SD_overlay_ipsec.drawio │ │ ├── DH_SD_overlay_ipsec.png │ │ ├── DH_SD_underlay.drawio │ │ ├── DH_SD_underlay.png │ │ ├── Extensions │ │ │ ├── ADVPN │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_Branch1_ADVPN.txt │ │ │ │ │ └── dual_hub_Branch2_ADVPN.txt │ │ │ │ ├── Hubs │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_HUB1_ADVPN.txt │ │ │ │ │ └── dual_hub_HUB2_ADVPN.txt │ │ │ │ └── readme.md │ │ │ ├── Adaptive FEC │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_Branch1_adaptive-fec.txt │ │ │ │ │ └── dual_hub_Branch2_adaptive-fec.txt │ │ │ │ ├── Hubs │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_HUB1_adaptive-fec.txt │ │ │ │ │ └── dual_hub_HUB2_adaptive-fec.txt │ │ │ │ └── readme.md │ │ │ ├── BGP Route Steering │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_Branch1_bgp-route-steering.txt │ │ │ │ │ └── dual_hub_Branch2_bgp-route-steering.txt │ │ │ │ ├── Hubs │ │ │ │ │ ├── README.md │ │ │ │ │ ├── dual_hub_HUB1_bgp-route-steering.txt │ │ │ │ │ └── dual_hub_HUB2_bgp-route-steering.txt │ │ │ │ └── readme.md │ │ │ └── SaaS Remote Internet Breakout │ │ │ │ ├── Branches │ │ │ │ ├── README.md │ │ │ │ ├── dual_hub_Branch1_remote-internet-breakout.txt │ │ │ │ └── dual_hub_Branch2_remote-internet-breakout.txt │ │ │ │ ├── Hubs │ │ │ │ ├── README.md │ │ │ │ ├── dual_hub_HUB1_remote-internet-breakout.txt │ │ │ │ └── dual_hub_HUB2_remote-internet-breakout.txt │ │ │ │ └── readme.md │ │ ├── Hub │ │ │ ├── README.md │ │ │ ├── dual_hub_HUB1_SD-WAN_Overlay.txt │ │ │ └── dual_hub_HUB2_SD-WAN_Overlay.txt │ │ └── readme.md │ ├── README.md │ ├── Single hub │ │ ├── Branches │ │ │ ├── README.md │ │ │ ├── single_hub_Branch1_SD-WAN_Overlay.txt │ │ │ └── single_hub_Branch2_SD-WAN_Overlay.txt │ │ ├── Extensions │ │ │ ├── ADVPN │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── single_hub_Branch1_ADVPN.txt │ │ │ │ │ └── single_hub_Branch2_ADVPN.txt │ │ │ │ ├── HUB │ │ │ │ │ ├── README.md │ │ │ │ │ └── single_hub_HUB1_ADVPN.txt │ │ │ │ └── readme.md │ │ │ ├── Adaptive FEC │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── single_hub_Branch1_adaptive-fec.txt │ │ │ │ │ └── single_hub_Branch2_adaptive-fec.txt │ │ │ │ ├── HUB │ │ │ │ │ ├── README.md │ │ │ │ │ └── single_hub_HUB1_adaptive-fec.txt │ │ │ │ └── readme.md │ │ │ ├── BGP route steering │ │ │ │ ├── Branches │ │ │ │ │ ├── README.md │ │ │ │ │ ├── single_hub_Branch1_bgp-route-steering.txt │ │ │ │ │ └── single_hub_Branch2_bgp-route-steering.txt │ │ │ │ ├── HUB │ │ │ │ │ ├── README.md │ │ │ │ │ └── single_hub_HUB1_bgp-route-steering.txt │ │ │ │ └── readme.md │ │ │ └── SaaS Remote Internet Breakout │ │ │ │ ├── Branches │ │ │ │ ├── README.md │ │ │ │ ├── single_hub_Branch1_remote-internet-breakout.txt │ │ │ │ └── single_hub_Branch2_remote-internet-breakout.txt │ │ │ │ ├── HUB │ │ │ │ ├── README.md │ │ │ │ └── single_hub_HUB1_remote-internet-breakout.txt │ │ │ │ └── readme.md │ │ ├── Hub │ │ │ ├── README.md │ │ │ └── single_hub_HUB1_SD-WAN_Overlay.txt │ │ ├── SD_overlay_bgp.drawio │ │ ├── SD_overlay_bgp.png │ │ ├── SD_overlay_ipsec.drawio │ │ ├── SD_overlay_ipsec.png │ │ ├── SD_underlay.drawio │ │ ├── SD_underlay.png │ │ └── readme.md │ └── Standalone SD-WAN │ │ ├── Branch_only_underlay.drawio │ │ ├── Branch_only_underlay.png │ │ ├── README.md │ │ └── standalone_Branch_SD-WAN.txt ├── 7.4 │ └── Dual hub │ │ ├── .$DH_SD_bgp_74.drawio.bkp │ │ ├── Branches │ │ ├── README.md │ │ ├── dual_hub_Branch1_base.txt │ │ └── dual_hub_Branch2_base.txt │ │ ├── DH_SD_IPSec_74.drawio │ │ ├── DH_SD_IPSec_74.png │ │ ├── DH_SD_Underlay_74.drawio │ │ ├── DH_SD_Underlay_74.png │ │ ├── DH_SD_bgp_74.drawio │ │ ├── DH_SD_bgp_74.png │ │ ├── Extensions │ │ ├── ADVPN │ │ │ ├── Branches │ │ │ │ ├── README.md │ │ │ │ ├── dual_hub_Branch1_ADVPN74.txt │ │ │ │ └── dual_hub_Branch2_ADVPN74.txt │ │ │ ├── Hub │ │ │ │ ├── README.md │ │ │ │ ├── dual_hub_HUB1_ADVPN_74.txt │ │ │ │ └── dual_hub_HUB2_ADVPN_74.txt │ │ │ └── README.md │ │ └── Adaptive FEC │ │ │ ├── Branches │ │ │ ├── README.md │ │ │ ├── dual_hub_Branch1_adaptive-fec.txt │ │ │ └── dual_hub_Branch2_adaptive-fec.txt │ │ │ ├── Hubs │ │ │ ├── README.md │ │ │ ├── dual_hub_HUB1_adaptive-fec74.txt │ │ │ └── dual_hub_HUB2_adaptive-fec74.txt │ │ │ └── README.md │ │ ├── Hub │ │ ├── README.md │ │ ├── dual_hub_HUB1_base_74.txt │ │ └── dual_hub_HUB2_base_74.txt │ │ └── README.md └── 7.6 │ └── Dual hub │ ├── Branches │ ├── README.md │ ├── dual_hub_Branch1_base_76.txt │ └── dual_hub_Branch2_base_76.txt │ ├── DH_SD_IPSec_76.drawio │ ├── DH_SD_IPSec_76.png │ ├── DH_SD_Underlay_76.drawio │ ├── DH_SD_Underlay_76.png │ ├── DH_SD_bgp_76.drawio │ ├── DH_SD_bgp_76.png │ ├── Hub │ ├── README.md │ ├── dual_hub_HUB1_base_76.txt │ └── dual_hub_HUB2_base_76.txt │ └── README.md ├── 4D-Switching ├── LAN_Edge_Demo.txt └── README.md ├── 4D-ZTNA ├── README.md └── ZTNA-demo-config.txt ├── LICENSE.md ├── README.md └── SD-Branch ├── README.md ├── SD-Branch.txt └── SD-Branch_Deployment_Guide_topology_intro.png /.gitignore: -------------------------------------------------------------------------------- 1 | Not needed at this time 2 | 4D-SDWAN/7.6/Dual hub/.$DH_SD_bgp_76.drawio.bkp 3 | -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Demo-Config/README.MD: -------------------------------------------------------------------------------- 1 | # NGFW demonstration configurations (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceeding 3 Ds: Define, Design, and Deploy. The deployment configuration detailed in this guide describes/provides one way of configuring a FortiGate to provide security to small and medium businesses. The example is designed for a hypothetical company with typical security needs. The naming of the VLANs are IP addressing are generic, and can be adapted for businesses with different number of employees and departments. 4 | 5 | The configuration recommended adheres to Fortinet security best practices and provides a base upon which the administrator can make customizations to better match their needs, as well as expand upon when implementing additional technologies such as SD-WAN, FortiSASE, and ZTNA. 6 | 7 | 8 | # Overview 9 | 10 | This document will cover the step-by-step procedures required to deploy a Next Generation Firewall for a SMB environment using a 70F FortiGate. This guide outlines procedures based on recommended Fortinet Best Practices. In this case, the customer is defined as follows: 11 | 12 | • A Small-Medium sized Business ranging from 20-100 employees with several departments 13 | 14 | • Single location with a single WAN connection 15 | 16 | 17 | The following are the requirements: 18 | 19 | • Deploy one FortiGate at the network edge 20 | 21 | • Segment the network for different departments, though only Sales, Engineering, and IT are specified for brevity. 22 | 23 | • Provide Next Generation Firewall Security by leveraging the UTM features of the FortiGate 24 | 25 | • Implement security policies for the company by applying appropriate security profiles to firewall policies 26 | 27 | • Configure wireless networks to provide access to department-specific resources 28 | 29 | • Secure wireless networks using WPA2-Enterprise that is linked to users on a remote server 30 | 31 | • Send FortiGate logs offsite to FortiGate Cloud 32 | 33 | • Leverage FortiSandbox to inspect suspicious files that do not match any 34 | existing virus signatures 35 | 36 | • Harden the device to restrict management access from external sources. 37 | 38 | # How to 39 | The following configuration was designed to be pasted directly into your 70F FortiGate. Some modifications are required to reflect your environment, such as server IP addresses and serial numbers. Ensure you review the topology's and make the necessary changes to the configuration to match your deployment. 40 | 41 | Additionally, some configuration must be performed manually and cannot be provided. These configurations are: 42 | 43 | 1. You must complete the ACME process to generate a certificate for Administrative access. Alternatively you may provide a certificate of your choosing. 44 | 45 | 2. The RADIUS server configuration will need to be updated 46 | ``` 47 | config user radius 48 | (...) 49 | ``` 50 | 51 | 3. A VoIP security profile must be created to reflect your VoIP operation and then applied to your security policies. 52 | 53 | 4. Adjust various services to reflect your business environment. 54 | 55 | 5. FortiToken must be added to the Admin accounts (Local and RADIUS). 56 | 57 | 6. Admin account passwords should be updated from those provided in the configuration. 58 | 59 | 7. The wireless access point serial number must be provided 60 | ``` 61 | config wireless-controller wtp 62 | edit "AP_SN" 63 | ``` 64 | 65 | 8. The wireless platform must match the model of your APs 66 | ``` 67 | config wireless-controller wtp-profile 68 | edit "Corp_Wireless" 69 | config platform 70 | set type U321EV 71 | ``` 72 | 73 | 9. FortiCloud Sandbox must be activated from the CLI or GUI. 74 | 75 | Note that consideration should be given for the connecting interface and port when pasting the configuration. Some of the configuration may result in loss of access. 76 | 77 | 78 | 79 | # Disclaimers 80 | 81 | While the configuration provides a good base configuration for NGFW security, it must be adapted and built upon to best fit your company's needs and security posture. 82 | 83 | There is no consideration for the WAN interface. You must configure both the interface as well as a default route if required. 84 | 85 | Configuration is provided for a 70F FortiGate. If you are using another model, you may have to adjust some settings such as interface names (port1 vs internal1). -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/Logical-Topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-NGFW/NGFW-Terraform/Logical-Topology.png -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/Physical-Topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-NGFW/NGFW-Terraform/Physical-Topology.png -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_admin.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_system_accprofile" "FWAdmin_profile" { 2 | name = "FWAdmin_profile" 3 | scope = "vdom" 4 | secfabgrp = "read-write" 5 | ftviewgrp = "read-write" 6 | authgrp = "read-write" 7 | sysgrp = "read-write" 8 | netgrp = "read-write" 9 | loggrp = "read-write" 10 | fwgrp = "read-write" 11 | vpngrp = "read-write" 12 | utmgrp = "read-write" 13 | # wanoptgrp = "read-write" 14 | wifi = "read-write" 15 | } 16 | 17 | resource "fortios_system_admin" "FWAdmin" { 18 | name = "FWAdmin" 19 | remote_auth = "enable" 20 | trusthost1 = var.trusthost 21 | accprofile = "FWAdmin_profile" 22 | vdom { 23 | name = "root" 24 | } 25 | two_factor = "fortitoken" # Comment out if not using 2FA authentication 26 | fortitoken = var.fortitoken # If using 2FA, go into System > Administrator, edit the FWAdmin and click send Activation Code Email to activate 27 | email_to = var.adminemail 28 | remote_group = "Admin" 29 | password = var.adminpassword 30 | comments = "NGFW Remote Admin" 31 | depends_on = [ 32 | fortios_user_group.Admin 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_global.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_system_global" "global" { 2 | admin_lockout_duration = "1800" 3 | admin_lockout_threshold = "10" 4 | admin_maintainer = "disable" 5 | #note that changing the below port will require an update to the 'host' variable in terraform.tfvars 6 | admin_sport = var.admin_https_port 7 | admin_ssh_port = var.admin_ssh_port 8 | hostname = var.hostname 9 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_interfaces.tf: -------------------------------------------------------------------------------- 1 | /* 2 | resource "fortios_system_interface" "wan2" { 3 | vdom = "root" 4 | name = "wan2" 5 | type = "physical" 6 | status = "down" 7 | } 8 | resource "fortios_system_interface" "dmz" { 9 | vdom = "root" 10 | type = "physical" 11 | name = "dmz" 12 | status = "down" 13 | } 14 | */ 15 | resource "fortios_system_interface" "LAN" { 16 | vdom = "root" 17 | type = "physical" 18 | name = var.LAN_INT 19 | ip = var.LAN_addr 20 | allowaccess = "fabric https" # https is only needed for configuration. 21 | alias = "LAN" 22 | device_identification = "enable" 23 | lldp_transmission = "enable" 24 | role = "lan" 25 | } 26 | resource "fortios_systemdhcp_server" "LAN_dhcp" { 27 | dns_service = "default" 28 | default_gateway = var.vlan1_default_gw 29 | netmask = var.vlan_netmask 30 | interface = var.LAN_INT 31 | ip_range { 32 | start_ip = var.vlan1_start 33 | end_ip = var.vlan1_end 34 | } 35 | depends_on = [ 36 | fortios_system_interface.LAN 37 | ] 38 | } 39 | 40 | resource "fortios_system_interface" "MGMT" { 41 | vdom = "root" 42 | name = var.MGMT_INT 43 | type = "physical" 44 | ip = var.MGMT_addr 45 | allowaccess = "ping https ssh" 46 | alias = "MGMT" 47 | device_identification = "enable" 48 | role = "dmz" 49 | status = "up" 50 | lldp_transmission = "enable" 51 | } 52 | /* 53 | resource "fortios_system_interface" "internal" { 54 | vdom = "root" 55 | type = "hard-switch" 56 | name = "internal" 57 | status = "down" 58 | ip = "0.0.0.0 0.0.0.0" 59 | } 60 | resource "fortios_system_interface" "fortilink" { 61 | vdom = "root" 62 | type = "aggregate" 63 | name = "fortilink" 64 | status = "down" 65 | } 66 | */ 67 | resource "fortios_system_interface" "VLAN20" { 68 | vdom = "root" 69 | name = var.VLAN20_name 70 | ip = var.VLAN20_IP 71 | allowaccess = "ping fabric" 72 | device_identification = "enable" 73 | role = "lan" 74 | interface = var.LAN_INT 75 | vlanid = 20 76 | } 77 | resource "fortios_systemdhcp_server" "VLAN20_dhcp" { 78 | dns_service = "default" 79 | default_gateway = var.VLAN20_default_gw 80 | netmask = var.vlan_netmask 81 | interface = var.VLAN20_int 82 | ip_range { 83 | start_ip = var.VLAN20_start 84 | end_ip = var.VLAN20_end 85 | } 86 | depends_on = [ 87 | fortios_system_interface.VLAN20 88 | ] 89 | } 90 | 91 | resource "fortios_system_interface" "VLAN21" { 92 | vdom = "root" 93 | name = var.VLAN21_name 94 | ip = var.VLAN21_IP 95 | allowaccess = "ping fabric" 96 | device_identification = "enable" 97 | role = "lan" 98 | interface = var.LAN_INT 99 | vlanid = 21 100 | } 101 | resource "fortios_systemdhcp_server" "VLAN21_dhcp" { 102 | dns_service = "default" 103 | default_gateway = var.VLAN21_default_gw 104 | netmask = var.vlan_netmask 105 | interface = var.VLAN21_int 106 | ip_range { 107 | start_ip = var.VLAN21_start 108 | end_ip = var.VLAN21_end 109 | } 110 | depends_on = [ 111 | fortios_system_interface.VLAN21 112 | ] 113 | } 114 | 115 | resource "fortios_system_interface" "VLAN30" { 116 | vdom = "root" 117 | name = var.VLAN30_name 118 | ip = var.VLAN30_IP 119 | allowaccess = "ping fabric" 120 | device_identification = "enable" 121 | role = "lan" 122 | interface = var.LAN_INT 123 | vlanid = 30 124 | } 125 | resource "fortios_systemdhcp_server" "VLAN30_dhcp" { 126 | dns_service = "default" 127 | default_gateway = var.VLAN30_default_gw 128 | netmask = var.vlan_netmask 129 | interface = var.VLAN30_int 130 | ip_range { 131 | start_ip = var.VLAN30_start 132 | end_ip = var.VLAN30_end 133 | } 134 | depends_on = [ 135 | fortios_system_interface.VLAN30 136 | ] 137 | } 138 | resource "fortios_system_interface" "VLAN31" { 139 | vdom = "root" 140 | name = var.VLAN31_name 141 | ip = var.VLAN31_IP 142 | allowaccess = "ping fabric" 143 | device_identification = "enable" 144 | role = "lan" 145 | interface = var.LAN_INT 146 | vlanid = 31 147 | } 148 | resource "fortios_systemdhcp_server" "VLAN31_dhcp" { 149 | dns_service = "default" 150 | default_gateway = var.VLAN31_default_gw 151 | netmask = var.vlan_netmask 152 | interface = var.VLAN31_int 153 | ip_range { 154 | start_ip = var.VLAN31_start 155 | end_ip = var.VLAN31_end 156 | } 157 | depends_on = [ 158 | fortios_system_interface.VLAN31 159 | ] 160 | } 161 | resource "fortios_system_interface" "VLAN40" { 162 | vdom = "root" 163 | name = var.VLAN40_name 164 | ip = var.VLAN40_IP 165 | allowaccess = "ping fabric" 166 | device_identification = "enable" 167 | role = "lan" 168 | interface = var.LAN_INT 169 | vlanid = 40 170 | } 171 | resource "fortios_systemdhcp_server" "VLAN40_dhcp" { 172 | dns_service = "default" 173 | default_gateway = var.VLAN40_default_gw 174 | netmask = var.vlan_netmask 175 | interface = var.VLAN40_int 176 | ip_range { 177 | start_ip = var.VLAN40_start 178 | end_ip = var.VLAN40_end 179 | } 180 | depends_on = [ 181 | fortios_system_interface.VLAN40 182 | ] 183 | } 184 | resource "fortios_system_interface" "VLAN50" { 185 | vdom = "root" 186 | name = var.VLAN50_name 187 | ip = var.VLAN50_IP 188 | allowaccess = "ping fabric" 189 | device_identification = "enable" 190 | role = "lan" 191 | interface = var.LAN_INT 192 | vlanid = 50 193 | } 194 | resource "fortios_systemdhcp_server" "VLAN50_dhcp" { 195 | dns_service = "default" 196 | default_gateway = var.VLAN50_default_gw 197 | netmask = var.vlan_netmask 198 | interface = var.VLAN50_int 199 | ip_range { 200 | start_ip = var.VLAN50_start 201 | end_ip = var.VLAN50_end 202 | } 203 | depends_on = [ 204 | fortios_system_interface.VLAN50 205 | ] 206 | } 207 | resource "fortios_system_interface" "VLAN60" { 208 | vdom = "root" 209 | name = var.VLAN60_name 210 | ip = var.VLAN60_IP 211 | allowaccess = "ping fabric" 212 | device_identification = "enable" 213 | role = "lan" 214 | interface = var.LAN_INT 215 | vlanid = 60 216 | } 217 | resource "fortios_systemdhcp_server" "VLAN60_dhcp" { 218 | dns_service = "default" 219 | default_gateway = var.VLAN60_default_gw 220 | netmask = var.vlan_netmask 221 | interface = var.VLAN60_int 222 | ip_range { 223 | start_ip = var.VLAN60_start 224 | end_ip = var.VLAN60_end 225 | } 226 | depends_on = [ 227 | fortios_system_interface.VLAN60 228 | ] 229 | } 230 | resource "fortios_system_interface" "VLAN70" { 231 | vdom = "root" 232 | name = var.VLAN70_name 233 | ip = var.VLAN70_IP 234 | allowaccess = "ping fabric" 235 | device_identification = "enable" 236 | role = "lan" 237 | interface = var.LAN_INT 238 | vlanid = 70 239 | } 240 | resource "fortios_systemdhcp_server" "VLAN70_dhcp" { 241 | dns_service = "default" 242 | default_gateway = var.VLAN70_default_gw 243 | netmask = var.vlan_netmask 244 | interface = var.VLAN70_int 245 | ip_range { 246 | start_ip = var.VLAN70_start 247 | end_ip = var.VLAN70_end 248 | } 249 | depends_on = [ 250 | fortios_system_interface.VLAN70 251 | ] 252 | } 253 | -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | fortios = { 4 | source = "fortinetdev/fortios" 5 | version = "1.16.0" 6 | } 7 | } 8 | } 9 | 10 | provider "fortios" { 11 | hostname = var.host 12 | token = var.token 13 | insecure = "true" 14 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_password_policy.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_system_passwordpolicy" "PW" { 2 | min_lower_case_letter = 1 3 | min_upper_case_letter = 1 4 | min_non_alphanumeric = 1 5 | min_number = 1 6 | reuse_password = "disable" 7 | status = "enable" 8 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_profile_AC.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_application_list" "CORP_AC" { 2 | name = "CORP_AC" 3 | unknown_application_log = "enable" 4 | entries { 5 | id = 1 6 | category { 7 | id = 2 8 | } 9 | category { 10 | id = 6 11 | } 12 | } 13 | entries { 14 | id = 2 15 | action = "pass" 16 | } 17 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_profile_AV.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_antivirus_profile" "CORP_AV" { 2 | name = "CORP_AV" 3 | http { 4 | av_scan = "block" 5 | quarantine = "enable" 6 | } 7 | ftp { 8 | av_scan = "block" 9 | quarantine = "enable" 10 | } 11 | imap { 12 | av_scan = "block" 13 | quarantine = "enable" 14 | executables = "virus" 15 | } 16 | smtp { 17 | av_scan = "block" 18 | quarantine = "enable" 19 | executables = "virus" 20 | } 21 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_profile_IPS.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_ips_sensor" "CORP_IP" { 2 | name = "CORP_IP" 3 | comment = "Block medium, high, and critical attacks" 4 | block_malicious_url = "enable" 5 | scan_botnet_connections = "block" 6 | entries { 7 | id = 1 8 | severity = "medium high critical" 9 | action = "block" 10 | } 11 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_profile_WF.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_webfilter_profile" "CORP_WF" { 2 | name = "CORP_WF" 3 | options = "block-invalid-url" 4 | web { 5 | blocklist = "enable" 6 | } 7 | ftgd_wf { 8 | filters { 9 | action = "block" 10 | category = 1 11 | } 12 | filters { 13 | action = "block" 14 | category = 2 15 | } 16 | filters { 17 | action = "block" 18 | category = 3 19 | } 20 | filters { 21 | action = "block" 22 | category = 4 23 | } 24 | filters { 25 | action = "block" 26 | category = 5 27 | } 28 | filters { 29 | action = "block" 30 | category = 6 31 | } 32 | filters { 33 | action = "block" 34 | category = 7 35 | } 36 | filters { 37 | action = "block" 38 | category = 8 39 | } 40 | filters { 41 | action = "block" 42 | category = 9 43 | } 44 | filters { 45 | action = "block" 46 | category = 11 47 | } 48 | filters { 49 | action = "block" 50 | category = 12 51 | } 52 | filters { 53 | action = "block" 54 | category = 13 55 | } 56 | filters { 57 | action = "block" 58 | category = 14 59 | } 60 | filters { 61 | action = "block" 62 | category = 15 63 | } 64 | filters { 65 | action = "block" 66 | category = 16 67 | } 68 | filters { 69 | action = "warning" 70 | category = 17 71 | } 72 | filters { 73 | action = "block" 74 | category = 18 75 | } 76 | filters { 77 | action = "block" 78 | category = 19 79 | } 80 | filters { 81 | action = "block" 82 | category = 20 83 | } 84 | filters { 85 | action = "block" 86 | category = 23 87 | } 88 | filters { 89 | action = "block" 90 | category = 24 91 | } 92 | filters { 93 | action = "block" 94 | category = 25 95 | } 96 | filters { 97 | action = "block" 98 | category = 26 99 | } 100 | filters { 101 | category = 28 102 | } 103 | filters { 104 | category = 29 105 | } 106 | filters { 107 | category = 30 108 | } 109 | filters { 110 | category = 31 111 | } 112 | filters { 113 | category = 33 114 | } 115 | filters { 116 | category = 34 117 | } 118 | filters { 119 | action = "block" 120 | category = 59 121 | } 122 | filters { 123 | action = "block" 124 | category = 62 125 | } 126 | filters { 127 | action = "block" 128 | category = 83 129 | } 130 | filters { 131 | action = "block" 132 | category = 96 133 | } 134 | filters { 135 | action = "block" 136 | category = 98 137 | } 138 | filters { 139 | action = "block" 140 | category = 99 141 | } 142 | filters { 143 | action = "block" 144 | category = 57 145 | } 146 | filters { 147 | action = "block" 148 | category = 63 149 | } 150 | filters { 151 | action = "block" 152 | category = 64 153 | } 154 | filters { 155 | action = "block" 156 | category = 65 157 | } 158 | filters { 159 | action = "block" 160 | category = 66 161 | } 162 | filters { 163 | action = "block" 164 | category = 67 165 | } 166 | filters { 167 | action = "block" 168 | category = 72 169 | } 170 | filters { 171 | category = 75 172 | } 173 | filters { 174 | category = 76 175 | } 176 | filters { 177 | action = "block" 178 | category = 61 179 | } 180 | filters { 181 | action = "block" 182 | category = 86 183 | } 184 | filters { 185 | action = "block" 186 | category = 88 187 | } 188 | filters { 189 | action = "block" 190 | category = 90 191 | } 192 | filters { 193 | action = "block" 194 | category = 91 195 | } 196 | filters { 197 | category = 35 198 | } 199 | filters { 200 | category = 36 201 | } 202 | filters { 203 | category = 37 204 | } 205 | filters { 206 | category = 38 207 | } 208 | filters { 209 | category = 39 210 | } 211 | filters { 212 | category = 40 213 | } 214 | filters { 215 | category = 42 216 | } 217 | filters { 218 | category = 44 219 | } 220 | filters { 221 | category = 46 222 | } 223 | filters { 224 | category = 47 225 | } 226 | filters { 227 | category = 48 228 | } 229 | filters { 230 | category = 54 231 | } 232 | filters { 233 | category = 55 234 | } 235 | filters { 236 | category = 58 237 | } 238 | filters { 239 | category = 68 240 | } 241 | filters { 242 | category = 69 243 | } 244 | filters { 245 | category = 70 246 | } 247 | filters { 248 | category = 71 249 | } 250 | filters { 251 | category = 77 252 | } 253 | filters { 254 | category = 78 255 | } 256 | filters { 257 | category = 79 258 | } 259 | filters { 260 | category = 80 261 | } 262 | filters { 263 | category = 82 264 | } 265 | filters { 266 | category = 85 267 | } 268 | filters { 269 | category = 87 270 | } 271 | filters { 272 | category = 89 273 | } 274 | filters { 275 | category = 41 276 | } 277 | filters { 278 | category = 43 279 | } 280 | filters { 281 | category = 49 282 | } 283 | filters { 284 | category = 50 285 | } 286 | filters { 287 | category = 51 288 | } 289 | filters { 290 | category = 52 291 | } 292 | filters { 293 | category = 53 294 | } 295 | filters { 296 | category = 56 297 | } 298 | filters { 299 | category = 81 300 | } 301 | filters { 302 | category = 84 303 | } 304 | filters { 305 | category = 92 306 | } 307 | filters { 308 | category = 93 309 | } 310 | filters { 311 | category = 94 312 | } 313 | filters { 314 | category = 95 315 | } 316 | filters { 317 | category = 97 318 | } 319 | filters { 320 | action = "block" 321 | } 322 | } 323 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_radius.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_user_radius" "radius" { 2 | name = var.radname 3 | server = var.radserver 4 | secret = var.radpass 5 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_services.tf: -------------------------------------------------------------------------------- 1 | /*resource "fortios_firewallservice_custom" "VLAN21_SRV1" { 2 | name = var.VLAN21_SRV_name1 3 | iprange = var.VLAN21_SRV_IP 4 | tcp_portrange = var.VLAN21_SRV_port1 5 | } 6 | resource "fortios_firewallservice_custom" "VLAN21_SRV2" { 7 | name = var.VLAN21_SRV_name2 8 | iprange = var.VLAN21_SRV_IP 9 | tcp_portrange = var.VLAN21_SRV_port2 10 | } 11 | resource "fortios_firewallservice_custom" "VLAN31_SRV1" { 12 | name = var.VLAN31_SRV_name1 13 | iprange = var.VLAN31_SRV_IP 14 | tcp_portrange = var.VLAN31_SRV_port1 15 | } 16 | resource "fortios_firewallservice_custom" "VLAN31_SRV2" { 17 | name = var.VLAN31_SRV_name2 18 | iprange = var.VLAN31_SRV_IP 19 | tcp_portrange = var.VLAN31_SRV_port2 20 | } 21 | resource "fortios_firewallservice_group" "VLAN21_SERVICES" { 22 | name = var.VLAN21_SRV_GRP_NAME 23 | member { 24 | name = var.VLAN21_SRV_name1 25 | } 26 | member { 27 | name = var.VLAN21_SRV_name2 28 | } 29 | } 30 | resource "fortios_firewallservice_group" "VLAN31_SERVICES" { 31 | name = var.VLAN31_SRV_GRP_NAME 32 | member { 33 | name = var.VLAN31_SRV_name1 34 | } 35 | member { 36 | name = var.VLAN31_SRV_name2 37 | } 38 | }*/ 39 | resource "fortios_firewallservice_custom" "VLAN21_SRV1" { 40 | name = var.VLAN21_SRV_name1 41 | iprange = var.VLAN21_SRV_IP 42 | tcp_portrange = var.VLAN21_SRV_port1 43 | } 44 | resource "fortios_firewallservice_custom" "VLAN21_SRV2" { 45 | name = var.VLAN21_SRV_name2 46 | iprange = var.VLAN21_SRV_IP 47 | tcp_portrange = var.VLAN21_SRV_port2 48 | } 49 | resource "fortios_firewallservice_group" "VLAN21_SERVICES" { 50 | name = var.VLAN21_SRV_GRP_NAME 51 | member { 52 | name = fortios_firewallservice_custom.VLAN21_SRV1.name 53 | } 54 | member { 55 | name = fortios_firewallservice_custom.VLAN21_SRV2.name 56 | } 57 | } 58 | 59 | resource "fortios_firewallservice_custom" "VLAN31_SRV1" { 60 | name = var.VLAN31_SRV_name1 61 | iprange = var.VLAN31_SRV_IP 62 | tcp_portrange = var.VLAN31_SRV_port1 63 | } 64 | resource "fortios_firewallservice_custom" "VLAN31_SRV2" { 65 | name = var.VLAN31_SRV_name2 66 | iprange = var.VLAN31_SRV_IP 67 | tcp_portrange = var.VLAN31_SRV_port2 68 | } 69 | resource "fortios_firewallservice_group" "VLAN31_SERVICES" { 70 | name = var.VLAN31_SRV_GRP_NAME 71 | member { 72 | name = fortios_firewallservice_custom.VLAN31_SRV1.name 73 | } 74 | member { 75 | name = fortios_firewallservice_custom.VLAN31_SRV2.name 76 | } 77 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_system.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_system_fortiguard" "fortiguard" { 2 | service_account_id = var.service_account 3 | update_server_location = var.service_region 4 | outbreak_prevention_timeout = "7" 5 | antispam_timeout = "7" 6 | webfilter_timeout = "15" 7 | } 8 | 9 | resource "fortios_logfortiguard_setting" "logging" { 10 | status = "enable" 11 | upload_option = "realtime" 12 | } 13 | 14 | resource "fortios_switchcontroller_system" "switch" { 15 | tunnel_mode = "strict" 16 | } 17 | resource "fortios_system_autoinstall" "autoinstall" { 18 | auto_install_config = "disable" 19 | auto_install_image = "disable" 20 | } 21 | 22 | resource "fortios_system_settings" "multiple_int_policy" { 23 | gui_multiple_interface_policy = "enable" 24 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_users.tf: -------------------------------------------------------------------------------- 1 | # Define the user groups to be used in policies 2 | resource "fortios_user_group" "Admin" { 3 | name = "Admin" 4 | match { 5 | server_name = var.radname 6 | group_name = "FirewallAdmin" 7 | } 8 | member { 9 | name = var.radname 10 | } 11 | depends_on = [ 12 | fortios_user_radius.radius 13 | ] 14 | } 15 | resource "fortios_user_group" "VLAN20_usergroup" { 16 | name = var.VLAN20_usergroup 17 | match { 18 | server_name = var.radname 19 | group_name = var.VLAN20_usergroup 20 | } 21 | member { 22 | name = var.radname 23 | } 24 | depends_on = [ 25 | fortios_user_radius.radius 26 | ] 27 | } 28 | resource "fortios_user_group" "VLAN30_usergroup" { 29 | name = var.VLAN30_usergroup 30 | match { 31 | server_name = var.radname 32 | group_name = var.VLAN30_usergroup 33 | } 34 | member { 35 | name = var.radname 36 | } 37 | depends_on = [ 38 | fortios_user_radius.radius 39 | ] 40 | } 41 | resource "fortios_user_group" "VLAN70_usergroup" { 42 | name = var.VLAN70_usergroup 43 | match { 44 | server_name = var.radname 45 | group_name = var.VLAN70_usergroup 46 | } 47 | member { 48 | name = var.radname 49 | } 50 | depends_on = [ 51 | fortios_user_radius.radius 52 | ] 53 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_wireless.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_wirelesscontroller_wtpprofile" "Corp_Wireless" { 2 | name = var.wtp_profile 3 | handoff_sta_thresh = "30" 4 | platform { 5 | type = var.ap_type 6 | } 7 | radio_1 { 8 | band = "802.11n,g-only" 9 | vap_all = "bridge" 10 | channel { 11 | chan = "1" 12 | } 13 | channel { 14 | chan = "6" 15 | } 16 | channel { 17 | chan = "11" 18 | } 19 | } 20 | radio_2 { 21 | band = "802.11ac" 22 | vap_all = "bridge" 23 | channel { 24 | chan = "36" 25 | } 26 | channel { 27 | chan = "40" 28 | } 29 | channel { 30 | chan = "44" 31 | } 32 | channel { 33 | chan = "48" 34 | } 35 | channel { 36 | chan = "52" 37 | } 38 | channel { 39 | chan = "56" 40 | } 41 | channel { 42 | chan = "60" 43 | } 44 | channel { 45 | chan = "64" 46 | } 47 | channel { 48 | chan = "100" 49 | } 50 | channel { 51 | chan = "104" 52 | } 53 | channel { 54 | chan = "108" 55 | } 56 | channel { 57 | chan = "112" 58 | } 59 | channel { 60 | chan = "116" 61 | } 62 | channel { 63 | chan = "120" 64 | } 65 | channel { 66 | chan = "124" 67 | } 68 | channel { 69 | chan = "128" 70 | } 71 | channel { 72 | chan = "132" 73 | } 74 | channel { 75 | chan = "136" 76 | } 77 | channel { 78 | chan = "140" 79 | } 80 | channel { 81 | chan = "144" 82 | } 83 | channel { 84 | chan = "149" 85 | } 86 | channel { 87 | chan = "153" 88 | } 89 | channel { 90 | chan = "157" 91 | } 92 | channel { 93 | chan = "161" 94 | } 95 | channel { 96 | chan = "165" 97 | } 98 | } 99 | } 100 | 101 | resource "fortios_wirelesscontroller_wtp" AP { 102 | admin = "enable" 103 | name = var.ap_SN 104 | wtp_profile = var.wtp_profile # Apply the wtp_profile here. However, when using a legacy FAP, change the variable to var.wtp_profile-legacy, and uncomment the radio_1 and radio_2 settings below 105 | /* 106 | radio_1 { 107 | override_vaps = "enable" 108 | vap_all = "bridge" 109 | } 110 | radio_2 { 111 | override_vaps = "enable" 112 | vap_all = "bridge" 113 | } 114 | */ 115 | } 116 | 117 | resource "fortios_wirelesscontroller_vap" SSID1 { 118 | name = var.SSID1 119 | schedule = "always" 120 | ssid = var.SSID1 121 | security = "wpa2-only-enterprise" 122 | auth = "usergroup" 123 | local_bridging = "enable" 124 | usergroup { 125 | name = var.VLAN20_usergroup 126 | } 127 | vlanid = 20 128 | depends_on = [ 129 | fortios_user_group.VLAN20_usergroup 130 | ] 131 | } 132 | 133 | resource "fortios_wirelesscontroller_vap" SSID2 { 134 | name = var.SSID2 135 | ssid = var.SSID2 136 | security = "wpa2-only-enterprise" 137 | auth = "usergroup" 138 | local_bridging = "enable" 139 | usergroup { 140 | name = var.VLAN70_usergroup 141 | } 142 | schedule = "always" 143 | vlanid = 70 144 | depends_on = [ 145 | fortios_user_group.VLAN70_usergroup 146 | ] 147 | } 148 | 149 | resource "fortios_wirelesscontroller_vap" SSID3 { 150 | name = var.SSID3 151 | ssid = var.SSID3 152 | security = "wpa2-only-enterprise" 153 | auth = "usergroup" 154 | local_bridging = "enable" 155 | usergroup { 156 | name = var.VLAN30_usergroup 157 | } 158 | schedule = "always" 159 | vlanid = 30 160 | depends_on = [ 161 | fortios_user_group.VLAN30_usergroup 162 | ] 163 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/ngfw_zaddresses.tf: -------------------------------------------------------------------------------- 1 | resource "fortios_firewall_address" "LAN" { 2 | name = "LAN" 3 | subnet = var.vlan1_subnet 4 | } 5 | resource "fortios_firewall_address" "VLAN20" { 6 | name = var.VLAN20_name 7 | subnet = var.VLAN20_subnet 8 | } 9 | resource "fortios_firewall_address" "VLAN21" { 10 | name = var.VLAN21_name 11 | subnet = var.VLAN21_subnet 12 | } 13 | # Two firewall address objects are created for the same IP to keep the naming convention for the service group. 14 | # This simplifies the template to account for using a second server/IP address at the expense of duplicating the object for services hosted on the same IP address. 15 | resource "fortios_firewall_address" "VLAN21_SRV1" { 16 | name = var.VLAN21_SRV_name1 17 | subnet = var.VLAN21_SRV_IP_Subnet 18 | associated_interface = var.VLAN21_name 19 | depends_on = [ 20 | fortios_system_interface.VLAN21 21 | ] 22 | } 23 | resource "fortios_firewall_address" "VLAN21_SRV2" { 24 | name = var.VLAN21_SRV_name2 25 | subnet = var.VLAN21_SRV_IP_Subnet 26 | associated_interface = var.VLAN21_name 27 | depends_on = [ 28 | fortios_system_interface.VLAN21 29 | ] 30 | } 31 | resource "fortios_firewall_address" "VLAN30" { 32 | name = var.VLAN30_name 33 | subnet = var.VLAN30_subnet 34 | } 35 | resource "fortios_firewall_address" "VLAN31" { 36 | name = var.VLAN31_name 37 | subnet = var.VLAN31_subnet 38 | } 39 | resource "fortios_firewall_address" "VLAN31_SRV1" { 40 | name = var.VLAN31_SRV_name1 41 | subnet = var.VLAN31_SRV_IP_Subnet 42 | associated_interface = var.VLAN31_name 43 | depends_on = [ 44 | fortios_system_interface.VLAN31 45 | ] 46 | } 47 | resource "fortios_firewall_address" "VLAN31_SRV2" { 48 | name = var.VLAN31_SRV_name2 49 | subnet = var.VLAN31_SRV_IP_Subnet 50 | associated_interface = var.VLAN31_name 51 | depends_on = [ 52 | fortios_system_interface.VLAN31 53 | ] 54 | } 55 | resource "fortios_firewall_address" "VLAN40" { 56 | name = var.VLAN40_name 57 | subnet = var.VLAN40_subnet 58 | } 59 | resource "fortios_firewall_address" "VLAN50" { 60 | name = var.VLAN50_name 61 | subnet = var.VLAN50_subnet 62 | } 63 | resource "fortios_firewall_address" "VLAN50_SRV" { 64 | name = var.VLAN50_SRV_name 65 | subnet = var.VLAN50_SRV_IP_Subnet 66 | associated_interface = var.VLAN50_name 67 | depends_on = [ 68 | fortios_system_interface.VLAN50 69 | ] 70 | } 71 | resource "fortios_firewall_address" "VLAN60" { 72 | name = var.VLAN60_name 73 | subnet = var.VLAN60_subnet 74 | } 75 | resource "fortios_firewall_address" "VLAN70" { 76 | name = var.VLAN70_name 77 | subnet = var.VLAN70_subnet 78 | } 79 | resource "fortios_firewall_address" "RFC-1918-10" { 80 | name = "RFC-1918-10" 81 | subnet = "10.0.0.0 255.0.0.0" 82 | } 83 | resource "fortios_firewall_address" "RFC-1918-172" { 84 | name = "RFC-1918-172" 85 | subnet = "172.16.0.0 255.240.0.0" 86 | } 87 | resource "fortios_firewall_address" "RFC-1918-192" { 88 | name = "RFC-1918-192" 89 | subnet = "192.168.0.0 255.255.255.0" 90 | } 91 | resource "fortios_firewall_addrgrp" "RFC-1918" { 92 | name = "RFC-1918" 93 | member { 94 | name = fortios_firewall_address.RFC-1918-10.name 95 | } 96 | member { 97 | name = fortios_firewall_address.RFC-1918-172.name 98 | } 99 | member { 100 | name = fortios_firewall_address.RFC-1918-192.name 101 | } 102 | } 103 | resource "fortios_firewall_address" "VLAN20_net" { 104 | name = var.VLAN20_name_net 105 | subnet = var.VLAN20_subnet 106 | } 107 | resource "fortios_firewall_address" "VLAN21_net" { 108 | name = var.VLAN21_name_net 109 | subnet = var.VLAN21_subnet 110 | } 111 | resource "fortios_firewall_address" "VLAN30_net" { 112 | name = var.VLAN30_name_net 113 | subnet = var.VLAN30_subnet 114 | } 115 | resource "fortios_firewall_address" "VLAN31_net" { 116 | name = var.VLAN31_name_net 117 | subnet = var.VLAN31_subnet 118 | } 119 | resource "fortios_firewall_address" "VLAN40_net" { 120 | name = var.VLAN40_name_net 121 | subnet = var.VLAN40_subnet 122 | } 123 | resource "fortios_firewall_address" "VLAN50_net" { 124 | name = var.VLAN50_name_net 125 | subnet = var.VLAN50_subnet 126 | } 127 | resource "fortios_firewall_address" "VLAN60_net" { 128 | name = var.VLAN60_name_net 129 | subnet = var.VLAN60_subnet 130 | } 131 | resource "fortios_firewall_address" "VLAN70_net" { 132 | name = var.VLAN70_name_net 133 | subnet = var.VLAN70_subnet 134 | } -------------------------------------------------------------------------------- /4D-NGFW/NGFW-Terraform/terraform.tfvars: -------------------------------------------------------------------------------- 1 | # The default configuration changes the admin https port from 443 to 9443. You may update the host to reflect the port change using x.x.x.x:9443 2 | host = "x.x.x.x:9443" 3 | token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 4 | 5 | #Global settings 6 | hostname = "FW_FLR1" 7 | admin_https_port = "9443" # If you change this setting, ensure that the port in the host IP:port setting is updated 8 | admin_ssh_port = "9922" 9 | 10 | # RADIUS server settings 11 | radserver = "x.x.x.x" 12 | radpass = "" 13 | radname = "RADIUS" # this name is how the radius server appears on the FortiGate. 14 | 15 | # admin vars 16 | trusthost = "x.x.x.x/24" 17 | fortitoken = "FTKMOBxxxxxxxxxx" # replace with 1 of 2 free FortiToken S/Ns from User & Authentication > FortiTokens 18 | adminemail = "" 19 | adminpassword = "" # Comment out if you want to be prompted for password during terraform apply 20 | 21 | # Interface mappings 22 | WAN_INT = "port1" 23 | LAN_INT = "port2" 24 | MGMT_INT = "port3" 25 | 26 | # Interfaces 27 | LAN_addr = "x.x.x.x 255.255.255.0" 28 | MGMT_addr = "x.x.x.x 255.255.255.0" 29 | vlan_netmask = "255.255.255.0" 30 | 31 | ## VLAN-internal (1) 32 | vlan1_default_gw = "x.x.x.x" 33 | vlan1_start = "x.x.x.x" 34 | vlan1_end = "x.x.x.x" 35 | vlan1_int = "port2" 36 | vlan1_subnet = "x.x.x.x 255.255.255.0" 37 | 38 | ## Addresses for VLAN20 - VLAN 70 typically do not require editing unless there is an IP conflict. 39 | ## VLAN20 40 | VLAN20_IP = "192.168.20.254 255.255.255.0" 41 | VLAN20_default_gw = "192.168.20.254" 42 | VLAN20_start = "192.168.20.10" 43 | VLAN20_end = "192.168.20.253" 44 | VLAN20_int = "VLAN20" #This matches the interface on the Fortigate 45 | VLAN20_name = "VLAN20" #This could be "IT" or "Sales" 46 | VLAN20_subnet = "192.168.20.0 255.255.255.0" 47 | VLAN20_usergroup = "IT" 48 | VLAN20_name_net = "VLAN20_net" 49 | 50 | ## VLAN21 51 | VLAN21_IP = "192.168.21.254 255.255.255.0" #interface IP 52 | VLAN21_default_gw = "192.168.21.254" 53 | VLAN21_start = "192.168.21.10" 54 | VLAN21_end = "192.168.21.253" 55 | VLAN21_int = "VLAN21" 56 | VLAN21_name = "VLAN21" 57 | VLAN21_subnet = "192.168.21.0 255.255.255.0" 58 | VLAN21_name_net = "VLAN21_net" 59 | VLAN21_SRV_IP = "192.168.21.1" 60 | VLAN21_SRV_IP_Subnet = "192.168.21.1 255.255.255.255" 61 | VLAN21_SRV_port1 = "8765" 62 | VLAN21_SRV_port2 = "6543" 63 | VLAN21_SRV_name1 = "IT_SRV1" 64 | VLAN21_SRV_name2 = "IT_SRV2" 65 | VLAN21_SRV_GRP_NAME = "IT_Services" 66 | 67 | ## VLAN30 68 | VLAN30_IP = "192.168.30.254 255.255.255.0" 69 | VLAN30_default_gw = "192.168.30.254" 70 | VLAN30_start = "192.168.30.10" 71 | VLAN30_end = "192.168.30.253" 72 | VLAN30_int = "VLAN30" 73 | VLAN30_name = "VLAN30" 74 | VLAN30_name_net = "VLAN30_net" 75 | VLAN30_subnet = "192.168.30.0 255.255.255.0" 76 | VLAN30_usergroup = "Engineering" 77 | 78 | ## VLAN31 79 | VLAN31_IP = "192.168.31.254 255.255.255.0" 80 | VLAN31_default_gw = "192.168.31.254" 81 | VLAN31_start = "192.168.31.10" 82 | VLAN31_end = "192.168.31.253" 83 | VLAN31_int = "VLAN31" 84 | VLAN31_name = "VLAN31" 85 | VLAN31_name_net = "VLAN31_net" 86 | VLAN31_subnet = "192.168.31.0 255.255.255.0" 87 | VLAN31_SRV_IP = "192.168.31.1" 88 | VLAN31_SRV_IP_Subnet = "192.168.31.1 255.255.255.255" 89 | VLAN31_SRV_port1 = "5678" 90 | VLAN31_SRV_port2 = "4678" 91 | VLAN31_SRV_name1 = "ENG_SRV1" 92 | VLAN31_SRV_name2 = "ENG_SRV2" 93 | VLAN31_SRV_GRP_NAME = "ENG_Services" 94 | 95 | ## VLAN40 96 | VLAN40_IP = "192.168.40.254 255.255.255.0" 97 | VLAN40_default_gw = "192.168.40.254" 98 | VLAN40_start = "192.168.40.10" 99 | VLAN40_end = "192.168.40.253" 100 | VLAN40_int = "VLAN40" 101 | VLAN40_name = "VLAN40" 102 | VLAN40_name_net = "VLAN40_net" 103 | VLAN40_subnet = "192.168.40.0 255.255.255.0" 104 | 105 | ## VLAN50 106 | VLAN50_IP = "192.168.50.254 255.255.255.0" 107 | VLAN50_default_gw = "192.168.50.254" 108 | VLAN50_start = "192.168.50.10" 109 | VLAN50_end = "192.168.50.253" 110 | VLAN50_int = "VLAN50" 111 | VLAN50_name = "VLAN50" 112 | VLAN50_name_net = "VLAN50_net" 113 | VLAN50_subnet = "192.168.50.0 255.255.255.0" 114 | VLAN50_SRV_name = "CORP_SRV" 115 | VLAN50_SRV_IP_Subnet = "192.168.50.1 255.255.255.255" 116 | 117 | ## VLAN60 118 | VLAN60_IP = "192.168.60.254 255.255.255.0" 119 | VLAN60_default_gw = "192.168.60.254" 120 | VLAN60_start = "192.168.60.10" 121 | VLAN60_end = "192.168.60.253" 122 | VLAN60_int = "VLAN60" 123 | VLAN60_name = "VLAN60" 124 | VLAN60_name_net = "VLAN60_net" 125 | VLAN60_subnet = "192.168.60.0 255.255.255.0" 126 | 127 | ## VLAN70 128 | VLAN70_IP = "192.168.70.254 255.255.255.0" 129 | VLAN70_default_gw = "192.168.70.254" 130 | VLAN70_start = "192.168.70.10" 131 | VLAN70_end = "192.168.70.253" 132 | VLAN70_int = "VLAN70" 133 | VLAN70_name = "VLAN70" 134 | VLAN70_name_net = "VLAN70_net" 135 | VLAN70_subnet = "192.168.70.0 255.255.255.0" 136 | VLAN70_usergroup = "Staff" 137 | 138 | # wireless 139 | wtp_profile = "Corp_Wireless" 140 | ap_type = "" # select AP type from list below. Use value in left column 141 | ap_SN = "xxxxxxxxxxxxxxxx" 142 | wtp_profile-legacy = "FAPS321C-default" # select only if FortiAP is a legacy device. 143 | SSID1 = "IT_WiFi" 144 | SSID2 = "Staff_WiFi" 145 | SSID3 = "EngineeringWiFi" 146 | 147 | /* AP Types 148 | AP-11N Default 11n AP. 149 | 220B FAP220B/221B. 150 | 210B FAP210B. 151 | 222B FAP222B. 152 | 112B FAP112B. 153 | 320B FAP320B. 154 | 11C FAP11C. 155 | 14C FAP14C. 156 | 223B FAP223B. 157 | 28C FAP28C. 158 | 320C FAP320C. 159 | 221C FAP221C. 160 | 25D FAP25D. 161 | 222C FAP222C. 162 | 224D FAP224D. 163 | 214B FK214B. 164 | 21D FAP21D. 165 | 24D FAP24D. 166 | 112D FAP112D. 167 | 223C FAP223C. 168 | 321C FAP321C. 169 | S321C FAPS321C. 170 | S322C FAPS322C. 171 | S323C FAPS323C. 172 | S311C FAPS311C. 173 | S313C FAPS313C. 174 | S321CR FAPS321CR. 175 | S322CR FAPS322CR. 176 | S323CR FAPS323CR. 177 | S421E FAPS421E. 178 | S422E FAPS422E. 179 | S423E FAPS423E. 180 | 421E FAP421E. 181 | 423E FAP423E. 182 | 221E FAP221E. 183 | 222E FAP222E. 184 | 223E FAP223E. 185 | 224E FAP224E. 186 | 231E FAP231E. 187 | S221E FAPS221E. 188 | S223E FAPS223E. 189 | 321E FAP321E. 190 | 431F FAP431F. 191 | 431FL FAP431FL. 192 | 432F FAP432F. 193 | 432FR FAP432FR. 194 | 433F FAP433F. 195 | 433FL FAP433FL. 196 | 231F FAP231F. 197 | 231FL FAP231FL. 198 | 234F FAP234F. 199 | 23JF FAP23JF. 200 | 831F FAP831F. 201 | 231G FAP231G. 202 | 233G FAP233G. 203 | 431G FAP431G. 204 | 433G FAP433G. 205 | U421E FAPU421EV. 206 | U422EV FAPU422EV. 207 | U423E FAPU423EV. 208 | U221EV FAPU221EV. 209 | U223EV FAPU223EV. 210 | U24JEV FAPU24JEV. 211 | U321EV FAPU321EV. 212 | U323EV FAPU323EV. 213 | U431F FAPU431F. 214 | U433F FAPU433F. 215 | U231F FAPU231F. 216 | U234F FAPU234F. 217 | U432F FAPU432F. 218 | */ 219 | 220 | # FortiGate Cloud logging 221 | service_account = "" 222 | service_region = "automatic" # Region can be automatic, usa, or eu -------------------------------------------------------------------------------- /4D-NGFW/README.MD: -------------------------------------------------------------------------------- 1 | # NGFW demonstration configurations (4-D) 2 | 4-D Demo configurations are a collection of configurations which complement the preceeding 3 Ds: Define, Design, and Deploy. 3 | 4 | The following directories comprise of: 5 | 6 | ## [NGFW-Demo-Config](NGFW-Demo-Config) 7 | 8 | - This is a basic NGFW configuration for setting up a NGFW firewall for a small/medium sized business. 9 | 10 | - Settings must be entered manually from the FortiGate CLI 11 | 12 | ## [NGFW-Terraform](NGFW-Terraform) 13 | 14 | - This utilizes Terraform to provision a NGFW firewall from a factory default FortiGate. 15 | 16 | - There are slight variations from the settings in NGFW-Demo-Config, but otherwise serves a similar purpose. -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing - Branches 2 | 3 | This configuration is for branches connecting back to dual hubs to access internal resources. There is also a local internet breakout so the branches may access public internet resources directly. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) IPsec settings, such as phase1 proposal and PSK. 12 | 13 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 14 | 15 | 3) A health-check server is used to measure SLA. You should adjust this to better reflect your traffic of interest by defining your own performance SLA. Please see the [performance SLA](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/584396/performance-sla) chapter of the FortiGate admin guide. 16 | 17 | 4) WAN2 is the less preferred link and should only be used if WAN1 does not meet SLA. 18 | This applies to the VPN connections overlaying each WAN link. If the health-check to the DC over WAN1-VPN1 fails to meet SLA, traffic may take WAN2-VPN1 to the DC. 19 | 20 | 5) The branches uses the local subnets 10.1.0.0/16. Adjust the "Branch-NET" object to match your LAN subnet. 21 | 22 | 6) The VPN dialup gateways (HUB WAN interfaces) are statically configured IP addresses that will need to be changed to match your hub's public WAN IP addresses. 23 | 7) BGP AS number is 65000 and the router ID is the loopback interface's ID: 172.16.200.x where x is unique to the branch. 24 | 25 | # Changes between branches 26 | 27 | 1) LAN subnet. 28 | 29 | 2) Loopback interface IP address. 30 | 31 | 3) BGP router ID (uses loopback address). 32 | 33 | 4) IPsec phase1-interface local-id. 34 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/DH_SD_overlay_bgp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Dual hub/DH_SD_overlay_bgp.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/DH_SD_overlay_ipsec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Dual hub/DH_SD_overlay_ipsec.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/DH_SD_underlay.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Dual hub/DH_SD_underlay.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub ADVPN - Branches 2 | 3 | This configuration is to enable ADVPN on the branches. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The spoke overlays are setup as ADVPN receivers. This includes IPsec phase 1 and BGP neighbor settings. 6 | 7 | SD-WAN rules are modified to steer Branch-NET traffic across the ADVPN dynamic tunnels. 8 | 9 | Firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) Firewall policy ID 3 is created and must not previously exist. 18 | 19 | 20 | # Changes between branches 21 | 22 | None. 23 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Branches/dual_hub_Branch1_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | next 5 | edit "HUB1-VPN2" 6 | set auto-discovery-receiver enable 7 | next 8 | edit "HUB2-VPN1" 9 | set auto-discovery-receiver enable 10 | next 11 | edit "HUB2-VPN2" 12 | set auto-discovery-receiver enable 13 | next 14 | end 15 | 16 | 17 | config router bgp 18 | config neighbor 19 | edit "10.10.10.253" 20 | set additional-path receive 21 | next 22 | edit "10.10.11.253" 23 | set additional-path receive 24 | next 25 | edit "10.10.13.253" 26 | set additional-path receive 27 | next 28 | edit "10.10.14.253" 29 | set additional-path receive 30 | next 31 | end 32 | end 33 | 34 | config system sdwan 35 | config service 36 | edit 2 37 | set dst "Datacenter" "Branch-NET" 38 | next 39 | end 40 | end 41 | 42 | config firewall policy 43 | edit 3 44 | set name "Remote Branches" 45 | set srcintf "HUB1" "HUB2" 46 | set dstintf "port3" 47 | set action accept 48 | set srcaddr "Branch-NET" 49 | set dstaddr "Branch-NET" 50 | set schedule "always" 51 | set service "ALL" 52 | set logtraffic all 53 | set comments "Branch to Branch Policy" 54 | next 55 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Branches/dual_hub_Branch2_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | next 5 | edit "HUB1-VPN2" 6 | set auto-discovery-receiver enable 7 | next 8 | edit "HUB2-VPN1" 9 | set auto-discovery-receiver enable 10 | next 11 | edit "HUB2-VPN2" 12 | set auto-discovery-receiver enable 13 | next 14 | end 15 | 16 | 17 | config router bgp 18 | config neighbor 19 | edit "10.10.10.253" 20 | set additional-path receive 21 | next 22 | edit "10.10.11.253" 23 | set additional-path receive 24 | next 25 | edit "10.10.13.253" 26 | set additional-path receive 27 | next 28 | edit "10.10.14.253" 29 | set additional-path receive 30 | next 31 | end 32 | end 33 | 34 | config system sdwan 35 | config service 36 | edit 2 37 | set dst "Datacenter" "Branch-NET" 38 | next 39 | end 40 | end 41 | 42 | config firewall policy 43 | edit 3 44 | set name "Remote Branches" 45 | set srcintf "HUB1" "HUB2" 46 | set dstintf "port3" 47 | set action accept 48 | set srcaddr "Branch-NET" 49 | set dstaddr "Branch-NET" 50 | set schedule "always" 51 | set service "ALL" 52 | set logtraffic all 53 | set comments "Branch to Branch Policy" 54 | next 55 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Hubs/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub ADVPN - HUB 2 | 3 | This configuration is to enable ADVPN on the hub. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The hub VPN overlays are set up to be an ADVPN senders. This includes IPsec phase 1 and BGP neighbor settings to allow for 4 additional paths to be sent to each of the overlays. 6 | 7 | Policy routes are created for ADVPN "stickiness". Stickyness is required to prevent private links from receiving public link shortcuts. For example if one link was a public ISP connection and the other is a private MPLS line. 8 | 9 | The firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) A firewall policy with ID 5 is created and must not previously exist. 18 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Hubs/dual_hub_HUB1_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set auto-discovery-sender enable 4 | next 5 | edit "VPN2" 6 | set auto-discovery-sender enable 7 | next 8 | end 9 | 10 | 11 | config router bgp 12 | set additional-path enable 13 | set additional-path-select 4 14 | config neighbor-group 15 | edit "VPN1" 16 | set additional-path send 17 | next 18 | edit "VPN2" 19 | set additional-path send 20 | next 21 | end 22 | end 23 | 24 | config router policy 25 | edit 1 26 | set input-device "VPN1" 27 | set srcaddr "all" 28 | set dstaddr "all" 29 | set output-device "VPN1" 30 | next 31 | edit 2 32 | set input-device "VPN2" 33 | set srcaddr "all" 34 | set dstaddr "all" 35 | set output-device "VPN2" 36 | next 37 | end 38 | 39 | 40 | config firewall policy 41 | edit 5 42 | set name "Branch to Branch" 43 | set srcintf "virtual-wan-link" 44 | set dstintf "virtual-wan-link" 45 | set action accept 46 | set srcaddr "Branch-NET" 47 | set dstaddr "Branch-NET" 48 | set schedule "always" 49 | set service "ALL" 50 | set utm-status enable 51 | set ssl-ssh-profile "certificate-inspection" 52 | set application-list "default" 53 | set logtraffic all 54 | next 55 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/Hubs/dual_hub_HUB2_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set auto-discovery-sender enable 4 | next 5 | edit "VPN2" 6 | set auto-discovery-sender enable 7 | next 8 | end 9 | 10 | 11 | config router bgp 12 | set additional-path enable 13 | set additional-path-select 4 14 | config neighbor-group 15 | edit "VPN1" 16 | set additional-path send 17 | next 18 | edit "VPN2" 19 | set additional-path send 20 | next 21 | end 22 | end 23 | 24 | config router policy 25 | edit 1 26 | set input-device "VPN1" 27 | set srcaddr "all" 28 | set dstaddr "all" 29 | set output-device "VPN1" 30 | next 31 | edit 2 32 | set input-device "VPN2" 33 | set srcaddr "all" 34 | set dstaddr "all" 35 | set output-device "VPN2" 36 | next 37 | end 38 | 39 | 40 | config firewall policy 41 | edit 5 42 | set name "Branch to Branch" 43 | set srcintf "virtual-wan-link" 44 | set dstintf "virtual-wan-link" 45 | set action accept 46 | set srcaddr "Branch-NET" 47 | set dstaddr "Branch-NET" 48 | set schedule "always" 49 | set service "ALL" 50 | set utm-status enable 51 | set ssl-ssh-profile "certificate-inspection" 52 | set application-list "default" 53 | set logtraffic all 54 | next 55 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/ADVPN/readme.md: -------------------------------------------------------------------------------- 1 | # ADVPN General 2 | 3 | ADVPN is used to dynamically build overlay tunnels between devices in a SDWAN region. The SDWAN HUB will be the ADVPN sender that provides Branches with the necessary details to establish their own tunnels as necessary. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub adaptive forward error correction - Branches 2 | 3 | This configuration is to enable adaptive FEC on the branches. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled on the desired firewall policy. 6 | 7 | Mappings are set up with desired FEC parameters. 8 | 9 | FEC mapping is applied to IPsec phase 1 tunnel settings and FEC is enabled on ingress and egress. 10 | 11 | A health check server is selected to monitor packet loss on a given overlay. 12 | 13 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 14 | 15 | # Assumptions 16 | 17 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 18 | 19 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. 20 | 21 | 2) Thresholds and settings for FEC should be tuned to the application and business needs. In this configuration, FEC parity bits were adjusted to be more aggressive during higher packet loss situations than the defaults. 22 | 23 | 24 | # Changes between branches 25 | 26 | None. 27 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Branches/dual_hub_Branch1_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" "HUB2" 12 | set action accept 13 | set srcaddr "Branch-NET" 14 | set dstaddr "Datacenter" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | set comments "" 20 | next 21 | move 4 before 2 22 | end 23 | 24 | config vpn ipsec fec 25 | edit "dc_fec" 26 | config mappings 27 | edit 1 28 | set base 8 29 | set redundant 2 30 | set packet-loss-threshold 5 31 | next 32 | edit 2 33 | set base 5 34 | set redundant 2 35 | set packet-loss-threshold 10 36 | next 37 | end 38 | next 39 | end 40 | 41 | config vpn ipsec phase1-interface 42 | edit "HUB1-VPN1" 43 | set fec-egress enable 44 | set fec-ingress enable 45 | set fec-mapping-profile dc_fec 46 | set fec-health-check HUB1_HC 47 | next 48 | edit "HUB1-VPN2" 49 | set fec-egress enable 50 | set fec-ingress enable 51 | set fec-mapping-profile dc_fec 52 | set fec-health-check HUB1_HC 53 | next 54 | edit "HUB2-VPN1" 55 | set fec-egress enable 56 | set fec-ingress enable 57 | set fec-mapping-profile dc_fec 58 | set fec-health-check HUB2_HC 59 | next 60 | edit "HUB2-VPN2" 61 | set fec-egress enable 62 | set fec-ingress enable 63 | set fec-mapping-profile dc_fec 64 | set fec-health-check HUB2_HC 65 | next 66 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Branches/dual_hub_Branch2_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" "HUB2" 12 | set action accept 13 | set srcaddr "Branch-NET" 14 | set dstaddr "Datacenter" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | set comments "" 20 | next 21 | move 4 before 2 22 | end 23 | 24 | config vpn ipsec fec 25 | edit "dc_fec" 26 | config mappings 27 | edit 1 28 | set base 8 29 | set redundant 2 30 | set packet-loss-threshold 5 31 | next 32 | edit 2 33 | set base 5 34 | set redundant 2 35 | set packet-loss-threshold 10 36 | next 37 | end 38 | next 39 | end 40 | 41 | config vpn ipsec phase1-interface 42 | edit "HUB1-VPN1" 43 | set fec-egress enable 44 | set fec-ingress enable 45 | set fec-mapping-profile dc_fec 46 | set fec-health-check HUB1_HC 47 | next 48 | edit "HUB1-VPN2" 49 | set fec-egress enable 50 | set fec-ingress enable 51 | set fec-mapping-profile dc_fec 52 | set fec-health-check HUB1_HC 53 | next 54 | edit "HUB2-VPN1" 55 | set fec-egress enable 56 | set fec-ingress enable 57 | set fec-mapping-profile dc_fec 58 | set fec-health-check HUB2_HC 59 | next 60 | edit "HUB2-VPN2" 61 | set fec-egress enable 62 | set fec-ingress enable 63 | set fec-mapping-profile dc_fec 64 | set fec-health-check HUB2_HC 65 | next 66 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Hubs/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub adaptive forward error correction - HUBS 2 | 3 | This configuration is to enable adaptive FEC on the hub. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled in IPsec phase 1 settings of each overlay. 6 | 7 | FED is enabled on desired firewall policies. 8 | 9 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. 16 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Hubs/dual_hub_HUB1_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set fec-egress enable 4 | set fec-ingress enable 5 | next 6 | edit "VPN2" 7 | set fec-egress enable 8 | set fec-ingress enable 9 | next 10 | end 11 | 12 | config firewall service custom 13 | edit "CustomApp-5000" 14 | set udp-portrange 5000 15 | next 16 | end 17 | 18 | config firewall policy 19 | edit 6 20 | set status enable 21 | set srcintf "virtual-wan-link" 22 | set dstintf "port3" 23 | set action accept 24 | set srcaddr "Branch-NET" 25 | set dstaddr "Datacenter" 26 | set schedule "always" 27 | set service "CustomApp-5000" 28 | set fec enable 29 | next 30 | move 6 before 2 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/Hubs/dual_hub_HUB2_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set fec-egress enable 4 | set fec-ingress enable 5 | next 6 | edit "VPN2" 7 | set fec-egress enable 8 | set fec-ingress enable 9 | next 10 | end 11 | 12 | config firewall service custom 13 | edit "CustomApp-5000" 14 | set udp-portrange 5000 15 | next 16 | end 17 | 18 | config firewall policy 19 | edit 6 20 | set status enable 21 | set srcintf "virtual-wan-link" 22 | set dstintf "port3" 23 | set action accept 24 | set srcaddr "Branch-NET" 25 | set dstaddr "Datacenter" 26 | set schedule "always" 27 | set service "CustomApp-5000" 28 | set fec enable 29 | next 30 | move 6 before 2 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/Adaptive FEC/readme.md: -------------------------------------------------------------------------------- 1 | # Adaptive FEC General 2 | 3 | Adaptive Forward Error Correction (FEC) is a WAN remediation technique that dynamically correct packet loss based on the detected packet loss on the link. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub BGP route steering - Branches 2 | 3 | This configuration is to enable BGP route steering on a branch. As SD-WAN intelligence affects which WAN interface is used, BGP can be leveraged to communicate these decisions to it's neighbors. 4 | 5 | Hub1 and hub2 health checks will be monitored the performance of our datacenter overlays. If an SLA fails or does not meet its minimum requirements, it will trigger its BGP neighbor to send a different route map. 6 | 7 | Under normal conditions (SLA are passing), the 'routemap-out-preferable' will be sent out to the HUB BGP neighbor. This routemap is our preferred routemap that matches our LAN addresses with a specified community # (in this example 1 for VPN 1 interfaces or 2 for VPN 2 interfaces). 8 | 9 | An SLA failure will remove the 'routemap-out-preferable' option and use the default routemap-out option. This default routemap tags LAN traffic with a community 5 to indicate it is out of SLA for this given interface. 10 | 11 | For more details on controlling traffic with BGP route steering, please see the [controlling traffic with BGP route mapping](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/256748/controlling-traffic-with-bgp-route-mapping-and-service-rules) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) The hub will receive bgp community strings of 65000:1, 65000:2, and 65000:5. 18 | 19 | 20 | # Changes between branches 21 | 22 | The router access-list uses the LAN subnet of a given site for the prefix. 23 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Branches/dual_hub_Branch1_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router access-list 2 | edit "LAN1" 3 | config rule 4 | edit 1 5 | set prefix 10.1.3.0 255.255.255.0 6 | next 7 | end 8 | next 9 | end 10 | 11 | 12 | config router route-map 13 | edit "Primary" 14 | config rule 15 | edit 1 16 | set match-ip-address "LAN1" 17 | set set-community "65000:1" 18 | next 19 | end 20 | next 21 | edit "Secondary" 22 | config rule 23 | edit 1 24 | set match-ip-address "LAN1" 25 | set set-community "65000:2" 26 | next 27 | end 28 | next 29 | edit "Out-of-SLA" 30 | config rule 31 | edit 1 32 | set match-ip-address "LAN1" 33 | set set-community "65000:5" 34 | next 35 | end 36 | next 37 | end 38 | 39 | config router bgp 40 | config neighbor 41 | edit "10.10.10.253" 42 | set route-map-out "Out-of-SLA" 43 | set route-map-out-preferable "Primary" 44 | next 45 | edit "10.10.11.253" 46 | set route-map-out "Out-of-SLA" 47 | set route-map-out-preferable "Secondary" 48 | next 49 | edit "10.10.13.253" 50 | set route-map-out "Out-of-SLA" 51 | set route-map-out-preferable "Primary" 52 | next 53 | edit "10.10.14.253" 54 | set route-map-out "Out-of-SLA" 55 | set route-map-out-preferable "Secondary" 56 | next 57 | end 58 | end 59 | 60 | 61 | config system sdwan 62 | config neighbor 63 | edit "10.10.10.253" 64 | set member 1 65 | set health-check "HUB1_HC" 66 | set sla-id 1 67 | next 68 | edit "10.10.11.253" 69 | set member 2 70 | set health-check "HUB1_HC" 71 | set sla-id 1 72 | next 73 | edit "10.10.13.253" 74 | set member 4 75 | set health-check "HUB2_HC" 76 | set sla-id 1 77 | next 78 | edit "10.10.14.253" 79 | set member 5 80 | set health-check "HUB2_HC" 81 | set sla-id 1 82 | next 83 | end 84 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Branches/dual_hub_Branch2_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router access-list 2 | edit "LAN1" 3 | config rule 4 | edit 1 5 | set prefix 10.1.4.0 255.255.255.0 6 | next 7 | end 8 | next 9 | end 10 | 11 | 12 | config router route-map 13 | edit "Primary" 14 | config rule 15 | edit 1 16 | set match-ip-address "LAN1" 17 | set set-community "65000:1" 18 | next 19 | end 20 | next 21 | edit "Secondary" 22 | config rule 23 | edit 1 24 | set match-ip-address "LAN1" 25 | set set-community "65000:2" 26 | next 27 | end 28 | next 29 | edit "Out-of-SLA" 30 | config rule 31 | edit 1 32 | set match-ip-address "LAN1" 33 | set set-community "65000:5" 34 | next 35 | end 36 | next 37 | end 38 | 39 | config router bgp 40 | config neighbor 41 | edit "10.10.10.253" 42 | set route-map-out "Out-of-SLA" 43 | set route-map-out-preferable "Primary" 44 | next 45 | edit "10.10.11.253" 46 | set route-map-out "Out-of-SLA" 47 | set route-map-out-preferable "Secondary" 48 | next 49 | edit "10.10.13.253" 50 | set route-map-out "Out-of-SLA" 51 | set route-map-out-preferable "Primary" 52 | next 53 | edit "10.10.14.253" 54 | set route-map-out "Out-of-SLA" 55 | set route-map-out-preferable "Secondary" 56 | next 57 | end 58 | end 59 | 60 | 61 | config system sdwan 62 | config neighbor 63 | edit "10.10.10.253" 64 | set member 1 65 | set health-check "HUB1_HC" 66 | set sla-id 1 67 | next 68 | edit "10.10.11.253" 69 | set member 2 70 | set health-check "HUB1_HC" 71 | set sla-id 1 72 | next 73 | edit "10.10.13.253" 74 | set member 4 75 | set health-check "HUB2_HC" 76 | set sla-id 1 77 | next 78 | edit "10.10.14.253" 79 | set member 5 80 | set health-check "HUB2_HC" 81 | set sla-id 1 82 | next 83 | end 84 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Hubs/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub BGP route steering - HUB 2 | 3 | This configuration is to enable BGP route steering on the hub. As SD-WAN intelligence affects which WAN interface is used, BGP can be leveraged to communicate these decisions to it's neighbors. 4 | 5 | The hubs have routemaps on incoming neighbors that matches the Branch community # with a specified route-tag. 6 | -Community 1 or 2 (SLA good) are mapped to route-tag 1 & 2 respectively. 7 | Community 5 (out of SLA) is mapped to a route-tag 5. 8 | 9 | SD-WAN rules on the HUB are configured to map route-tag 1 with VPN 1 and route-tag 2 with VPN 2. Under normal conditions, Branch traffic will flow through these interfaces (VPN1 first, VPN2 second based on order). 10 | 11 | Upon SLA failure, the incoming community 5 does not match a given rule and goes to the default routing table. 12 | 13 | For more details on controlling traffic with BGP route steering, please see the [controlling traffic with BGP route mapping](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/256748/controlling-traffic-with-bgp-route-mapping-and-service-rules) chapter of the FortiGate admin guide. 14 | 15 | # Assumptions 16 | 17 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 18 | 19 | 1) The branches will send bgp community strings of 65000:1, 65000:2, and 65000:5. 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Hubs/dual_hub_HUB1_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router community-list 2 | edit "65000:1" 3 | config rule 4 | edit 1 5 | set action permit 6 | set match "65000:1" 7 | next 8 | end 9 | next 10 | edit "65000:2" 11 | config rule 12 | edit 1 13 | set action permit 14 | set match "65000:2" 15 | next 16 | end 17 | next 18 | edit "65000:5" 19 | config rule 20 | edit 1 21 | set action permit 22 | set match "65000:5" 23 | next 24 | end 25 | next 26 | end 27 | 28 | config router route-map 29 | edit "VPN1-RouteMap_IN" 30 | config rule 31 | edit 3 32 | set match-community "65000:1" 33 | set set-route-tag 1 34 | next 35 | edit 4 36 | set match-community "65000:2" 37 | set set-route-tag 2 38 | next 39 | edit 5 40 | set match-community "65000:5" 41 | set set-aspath "65000" 42 | set set-route-tag 5 43 | next 44 | end 45 | next 46 | edit "VPN2-RouteMap_IN" 47 | config rule 48 | edit 3 49 | set match-community "65000:1" 50 | set set-route-tag 1 51 | next 52 | edit 4 53 | set match-community "65000:2" 54 | set set-route-tag 2 55 | next 56 | edit 5 57 | set match-community "65000:5" 58 | set set-route-tag 5 59 | next 60 | end 61 | next 62 | end 63 | 64 | config system sdwan 65 | config service 66 | edit 1 67 | set name "ToBranch-VPN1" 68 | set route-tag 1 69 | set src "all" 70 | set priority-members 1 71 | next 72 | edit 2 73 | set name "ToBranch-VPN2" 74 | set route-tag 2 75 | set src "all" 76 | set priority-members 2 77 | next 78 | end 79 | end 80 | 81 | 82 | config router bgp 83 | config neighbor-group 84 | edit "VPN1" 85 | set route-map-in "VPN1-RouteMap_IN" 86 | next 87 | edit "VPN2" 88 | set route-map-in "VPN2-RouteMap_IN" 89 | next 90 | end 91 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/Hubs/dual_hub_HUB2_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router community-list 2 | edit "65000:1" 3 | config rule 4 | edit 1 5 | set action permit 6 | set match "65000:1" 7 | next 8 | end 9 | next 10 | edit "65000:2" 11 | config rule 12 | edit 1 13 | set action permit 14 | set match "65000:2" 15 | next 16 | end 17 | next 18 | edit "65000:5" 19 | config rule 20 | edit 1 21 | set action permit 22 | set match "65000:5" 23 | next 24 | end 25 | next 26 | end 27 | 28 | config router route-map 29 | edit "VPN1-RouteMap_IN" 30 | config rule 31 | edit 3 32 | set match-community "65000:1" 33 | set set-route-tag 1 34 | next 35 | edit 4 36 | set match-community "65000:2" 37 | set set-route-tag 2 38 | next 39 | edit 5 40 | set match-community "65000:5" 41 | set set-aspath "65000" 42 | set set-route-tag 5 43 | next 44 | end 45 | next 46 | edit "VPN2-RouteMap_IN" 47 | config rule 48 | edit 3 49 | set match-community "65000:1" 50 | set set-route-tag 1 51 | next 52 | edit 4 53 | set match-community "65000:2" 54 | set set-route-tag 2 55 | next 56 | edit 5 57 | set match-community "65000:5" 58 | set set-route-tag 5 59 | next 60 | end 61 | next 62 | end 63 | 64 | config system sdwan 65 | config service 66 | edit 1 67 | set name "ToBranch-VPN1" 68 | set route-tag 1 69 | set src "all" 70 | set priority-members 1 71 | next 72 | edit 2 73 | set name "ToBranch-VPN2" 74 | set route-tag 2 75 | set src "all" 76 | set priority-members 2 77 | next 78 | end 79 | end 80 | 81 | 82 | config router bgp 83 | config neighbor-group 84 | edit "VPN1" 85 | set route-map-in "VPN1-RouteMap_IN" 86 | next 87 | edit "VPN2" 88 | set route-map-in "VPN2-RouteMap_IN" 89 | next 90 | end 91 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/BGP Route Steering/readme.md: -------------------------------------------------------------------------------- 1 | # BGP route steering - Overview 2 | 3 | In this configuration, we will use SD-WAN and BGP to signal the optimal interface to use for traffic destined back to the spoke. Interfaces that do not meet our pre-defined SLA will be marked as "out-of-sla" to other devices in the SD-WAN network. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub Saas Remote Internet Breakout - Branches 2 | 3 | This configuration is to enable SaaS Remote Internet Breakout on the branches. This allows branches to access cloud applications through the Hub. 4 | 5 | The Spoke will route only Ringcentral VoIP traffic through hub1 and hub2 overlays. 6 | 7 | The SDWAN rule is set to 'set gateway enable' to override the route table and send traffic that matches this application through hub1 and hub2. 8 | 9 | # Assumptions 10 | 11 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 12 | 13 | 1) The application 'Ring Central' is selected to illustrate this feature. You should select applications specific to your business. 14 | 15 | # Changes between branches 16 | 17 | None. 18 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Branches/dual_hub_Branch1_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config application group 2 | edit "Cloud_Applications" 3 | set comment 'RingCentral VoIP Application' 4 | set type application 5 | set application 41475 6 | next 7 | end 8 | 9 | 10 | config sys sdwan 11 | config service 12 | edit 3 13 | set name "Cloud_Applications" 14 | set mode sla 15 | set src "Branch-NET" 16 | set internet-service enable 17 | set internet-service-app-ctrl-group "Cloud_Applications" 18 | config sla 19 | edit "HUB1_HC" 20 | set id 1 21 | next 22 | edit "HUB2_HC" 23 | set id 1 24 | next 25 | end 26 | set priority-members 3 4 5 6 27 | set gateway enable 28 | next 29 | move 3 before 2 30 | end 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Branches/dual_hub_Branch2_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config application group 2 | edit "Cloud_Applications" 3 | set comment 'RingCentral VoIP Application' 4 | set type application 5 | set application 41475 6 | next 7 | end 8 | 9 | 10 | config sys sdwan 11 | config service 12 | edit 3 13 | set name "Cloud_Applications" 14 | set mode sla 15 | set src "Branch-NET" 16 | set internet-service enable 17 | set internet-service-app-ctrl-group "Cloud_Applications" 18 | config sla 19 | edit "HUB1_HC" 20 | set id 1 21 | next 22 | edit "HUB2_HC" 23 | set id 1 24 | next 25 | end 26 | set priority-members 3 4 5 6 27 | set gateway enable 28 | next 29 | move 3 before 2 30 | end 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Hubs/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub Saas Remote Internet Breakout - Hubs 2 | 3 | This configuration is to enable SaaS Remote Internet Breakout on the hub. This allows branches to access cloud applications through the Hub. 4 | 5 | The only config necessary on the HUB is to allow overlay traffic to the internet. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) Policy ID 4 is created, and so must not exist prior to adding this configuration file. 12 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Hubs/dual_hub_HUB1_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config firewall policy 2 | edit 4 3 | set name "Remote-Internet-Breakout" 4 | set srcintf "virtual-wan-link" 5 | set dstintf "port1" 6 | set action accept 7 | set srcaddr "all" 8 | set dstaddr "all" 9 | set schedule "always" 10 | set service "ALL" 11 | set logtraffic all 12 | set nat enable 13 | next 14 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/Hubs/dual_hub_HUB2_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config firewall policy 2 | edit 4 3 | set name "Remote-Internet-Breakout" 4 | set srcintf "virtual-wan-link" 5 | set dstintf "port1" 6 | set action accept 7 | set srcaddr "all" 8 | set dstaddr "all" 9 | set schedule "always" 10 | set service "ALL" 11 | set logtraffic all 12 | set nat enable 13 | next 14 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Extensions/SaaS Remote Internet Breakout/readme.md: -------------------------------------------------------------------------------- 1 | # Remote Internet Breakout General 2 | 3 | In this scenario, branch traffic needs to route a SaaS application (in this case, RingCentral VoIP) through the HUB. The config can be modified to include any traffic type or application in your environment. 4 | 5 | Example: RingCentral (VoIP) may need local internet breakout at the branch. However, a private MPLS circuit is also available with internet accessible via the HUB. In this config, we route RingCentral traffic via the overlay to the HUB for remote internet break out. 6 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing - HUBs 2 | 3 | This configuration is for dual hubs functioning as access points for datacenter resources. As such, there is no consideration for traffic initiated from the hub. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | The datacenter's subnet of 192.168.1.0/24 is learned through an eBGP peering with 172.16.1.1, and 172.16.2.1 for Hub1 and Hub2 respectively. The eBGP route to 192.168.1.0/24 is automatically distributed among all iBGP neighbors in the same Autonomous System without any further configuration. 8 | 9 | The network 172.16.100.1/32 and 172.16.100.2 are distributed so the iBGP neighbors know of the hubs loopback interfaces. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) IPsec settings, such as phase1 proposal and PSK 16 | 17 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 18 | 19 | 3) The datacenter uses the local subnet 192.168.1.0/24. Adjust the "Datacenter" object to match your LAN subnet. 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Hub/dual_hub_HUB1_SD-WAN_Overlay.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set type dynamic 4 | set interface "port1" 5 | set ike-version 2 6 | set peertype any 7 | set net-device disable 8 | set mode-cfg enable 9 | set proposal aes256-sha256 10 | set add-route disable 11 | set dpd on-idle 12 | set network-overlay enable 13 | set network-id 1 14 | set ipv4-start-ip 10.10.10.1 15 | set ipv4-end-ip 10.10.10.252 16 | set ipv4-netmask 255.255.255.0 17 | set psksecret fortinet 18 | set dpd-retryinterval 60 19 | next 20 | edit "VPN2" 21 | set type dynamic 22 | set interface "port2" 23 | set ike-version 2 24 | set peertype any 25 | set net-device disable 26 | set mode-cfg enable 27 | set proposal aes256-sha256 28 | set add-route disable 29 | set dpd on-idle 30 | set network-overlay enable 31 | set network-id 2 32 | set ipv4-start-ip 10.10.11.1 33 | set ipv4-end-ip 10.10.11.252 34 | set ipv4-netmask 255.255.255.0 35 | set psksecret fortinet 36 | set dpd-retryinterval 60 37 | next 38 | end 39 | config vpn ipsec phase2-interface 40 | edit "VPN1" 41 | set phase1name "VPN1" 42 | set proposal aes256-sha256 43 | next 44 | edit "VPN2" 45 | set phase1name "VPN2" 46 | set proposal aes256-sha256 47 | next 48 | end 49 | 50 | config system interface 51 | edit "HUB1-Lo" 52 | set vdom "root" 53 | set ip 172.16.100.1 255.255.255.255 54 | set allowaccess ping 55 | set type loopback 56 | next 57 | edit "VPN1" 58 | set vdom "root" 59 | set ip 10.10.10.253 255.255.255.255 60 | set allowaccess ping 61 | set remote-ip 10.10.10.254 255.255.255.0 62 | set interface "port1" 63 | next 64 | edit "VPN2" 65 | set vdom "root" 66 | set ip 10.10.11.253 255.255.255.255 67 | set allowaccess ping 68 | set remote-ip 10.10.11.254 255.255.255.0 69 | set interface "port2" 70 | next 71 | end 72 | 73 | 74 | 75 | config router bgp 76 | set as 65000 77 | set router-id 172.16.100.1 78 | set ibgp-multipath enable 79 | set graceful-restart enable 80 | config neighbor 81 | edit "172.16.1.1" 82 | set remote-as 65100 83 | next 84 | end 85 | config neighbor-group 86 | edit "VPN1" 87 | set capability-graceful-restart enable 88 | set link-down-failover enable 89 | set next-hop-self enable 90 | set remote-as 65000 91 | set route-reflector-client enable 92 | set soft-reconfiguration enable 93 | next 94 | edit "VPN2" 95 | set capability-graceful-restart enable 96 | set link-down-failover enable 97 | set next-hop-self enable 98 | set remote-as 65000 99 | set route-reflector-client enable 100 | set soft-reconfiguration enable 101 | 102 | next 103 | end 104 | config neighbor-range 105 | edit 1 106 | set prefix 10.10.10.0 255.255.255.0 107 | set neighbor-group "VPN1" 108 | next 109 | edit 2 110 | set prefix 10.10.11.0 255.255.255.0 111 | set neighbor-group "VPN2" 112 | next 113 | end 114 | config network 115 | edit 1 116 | set prefix 172.16.1.1 255.255.255.255 117 | next 118 | end 119 | end 120 | 121 | config firewall address 122 | edit "Datacenter" 123 | set subnet 192.168.1.0 255.255.255.0 124 | next 125 | edit "Branch-NET" 126 | set subnet 10.1.0.0 255.255.0.0 127 | next 128 | edit "Overlay_Tunnels" 129 | set subnet 10.10.0.0 255.255.0.0 130 | next 131 | end 132 | 133 | config system sdwan 134 | set status enable 135 | config members 136 | edit 1 137 | set interface "VPN1" 138 | set comment "Mapping for VPN1 dialup tunnels" 139 | next 140 | edit 2 141 | set interface "VPN2" 142 | set comment "Mapping for VPN2 dialup tunnels" 143 | next 144 | end 145 | end 146 | 147 | 148 | 149 | config firewall policy 150 | edit 1 151 | set name "SLA-HealthCheck" 152 | set srcintf "virtual-wan-link" 153 | set dstintf "HUB1-Lo" 154 | set action accept 155 | set srcaddr "Overlay_Tunnels" 156 | set dstaddr "all" 157 | set schedule "always" 158 | set service "ALL_ICMP" 159 | set logtraffic all 160 | next 161 | edit 2 162 | set name "Branch to Datacenter" 163 | set srcintf "virtual-wan-link" 164 | set dstintf "port3" 165 | set action accept 166 | set srcaddr "Branch-NET" 167 | set dstaddr "Datacenter" 168 | set schedule "always" 169 | set service "ALL" 170 | set tcp-session-without-syn all 171 | set logtraffic all 172 | next 173 | edit 3 174 | set name "Datacenter to Branch" 175 | set srcintf "port3" 176 | set dstintf "virtual-wan-link" 177 | set action accept 178 | set srcaddr "Datacenter" 179 | set dstaddr "Branch-NET" 180 | set schedule "always" 181 | set service "ALL" 182 | set logtraffic all 183 | next 184 | end 185 | 186 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/Hub/dual_hub_HUB2_SD-WAN_Overlay.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set type dynamic 4 | set interface "port1" 5 | set ike-version 2 6 | set peertype any 7 | set net-device disable 8 | set mode-cfg enable 9 | set proposal aes256-sha256 10 | set add-route disable 11 | set dpd on-idle 12 | set network-overlay enable 13 | set network-id 4 14 | set ipv4-start-ip 10.10.13.1 15 | set ipv4-end-ip 10.10.13.252 16 | set ipv4-netmask 255.255.255.0 17 | set psksecret fortinet 18 | set dpd-retryinterval 60 19 | next 20 | edit "VPN2" 21 | set type dynamic 22 | set interface "port2" 23 | set ike-version 2 24 | set peertype any 25 | set net-device disable 26 | set mode-cfg enable 27 | set proposal aes256-sha256 28 | set add-route disable 29 | set dpd on-idle 30 | set network-overlay enable 31 | set network-id 5 32 | set ipv4-start-ip 10.10.14.1 33 | set ipv4-end-ip 10.10.14.252 34 | set ipv4-netmask 255.255.255.0 35 | set psksecret fortinet 36 | set dpd-retryinterval 60 37 | next 38 | end 39 | config vpn ipsec phase2-interface 40 | edit "VPN1" 41 | set phase1name "VPN1" 42 | set proposal aes256-sha256 43 | next 44 | edit "VPN2" 45 | set phase1name "VPN2" 46 | set proposal aes256-sha256 47 | next 48 | end 49 | 50 | config system interface 51 | edit "HUB2-Lo" 52 | set vdom "root" 53 | set ip 172.16.100.2 255.255.255.255 54 | set allowaccess ping 55 | set type loopback 56 | next 57 | edit "VPN1" 58 | set vdom "root" 59 | set ip 10.10.13.253 255.255.255.255 60 | set allowaccess ping 61 | set remote-ip 10.10.13.254 255.255.255.0 62 | set interface "port1" 63 | next 64 | edit "VPN2" 65 | set vdom "root" 66 | set ip 10.10.14.253 255.255.255.255 67 | set allowaccess ping 68 | set remote-ip 10.10.14.254 255.255.255.0 69 | set interface "port2" 70 | next 71 | end 72 | 73 | 74 | 75 | config router bgp 76 | set as 65000 77 | set router-id 172.16.100.2 78 | set ibgp-multipath enable 79 | set graceful-restart enable 80 | config neighbor 81 | edit "172.16.2.1" 82 | set remote-as 65100 83 | next 84 | end 85 | config neighbor-group 86 | edit "VPN1" 87 | set capability-graceful-restart enable 88 | set link-down-failover enable 89 | set next-hop-self enable 90 | set remote-as 65000 91 | set route-reflector-client enable 92 | set soft-reconfiguration enable 93 | next 94 | edit "VPN2" 95 | set capability-graceful-restart enable 96 | set link-down-failover enable 97 | set next-hop-self enable 98 | set remote-as 65000 99 | set route-reflector-client enable 100 | set soft-reconfiguration enable 101 | 102 | next 103 | end 104 | config neighbor-range 105 | edit 1 106 | set prefix 10.10.13.0 255.255.255.0 107 | set neighbor-group "VPN1" 108 | next 109 | edit 2 110 | set prefix 10.10.14.0 255.255.255.0 111 | set neighbor-group "VPN2" 112 | next 113 | end 114 | config network 115 | edit 1 116 | set prefix 172.16.2.1 255.255.255.255 117 | next 118 | end 119 | end 120 | 121 | config firewall address 122 | edit "Datacenter" 123 | set subnet 192.168.1.0 255.255.255.0 124 | next 125 | edit "Branch-NET" 126 | set subnet 10.1.0.0 255.255.0.0 127 | next 128 | edit "Overlay_Tunnels" 129 | set subnet 10.10.0.0 255.255.0.0 130 | next 131 | end 132 | 133 | config system sdwan 134 | set status enable 135 | config members 136 | edit 1 137 | set interface "VPN1" 138 | set comment "Mapping for VPN1 dialup tunnels" 139 | next 140 | edit 2 141 | set interface "VPN2" 142 | set comment "Mapping for VPN2 dialup tunnels" 143 | next 144 | end 145 | end 146 | 147 | 148 | 149 | config firewall policy 150 | edit 1 151 | set name "SLA-HealthCheck" 152 | set srcintf "virtual-wan-link" 153 | set dstintf "HUB2-Lo" 154 | set action accept 155 | set srcaddr "Overlay_Tunnels" 156 | set dstaddr "all" 157 | set schedule "always" 158 | set service "ALL_ICMP" 159 | set logtraffic all 160 | next 161 | edit 2 162 | set name "Branch to Datacenter" 163 | set srcintf "virtual-wan-link" 164 | set dstintf "port3" 165 | set action accept 166 | set srcaddr "Branch-NET" 167 | set dstaddr "Datacenter" 168 | set schedule "always" 169 | set service "ALL" 170 | set tcp-session-without-syn all 171 | set logtraffic all 172 | next 173 | edit 3 174 | set name "Datacenter to Branch" 175 | set srcintf "port3" 176 | set dstintf "virtual-wan-link" 177 | set action accept 178 | set srcaddr "Datacenter" 179 | set dstaddr "Branch-NET" 180 | set schedule "always" 181 | set service "ALL" 182 | set logtraffic all 183 | next 184 | end 185 | 186 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Dual hub/readme.md: -------------------------------------------------------------------------------- 1 | # SD-WAN Dual Hub 2 | 3 | This directory contains configuration to enable SD-WAN for two Hubs and 2 spokes. Additionally, 4 extensions to SD-WAN are included to optinally enhance your SD-WAN deployment. 4 | 5 | In addition to the configuration files, there are topology diagrams provided in .png format, and .drawio format should you wish to edit or build upon the given topology. 6 | 7 | # Topology 8 | 9 | ### Underlay 10 | This diagram provides the physical ports used by the topologies, as well as some key IP addresses and networks. 11 | ![Dual hub branch underlay](./DH_SD_underlay.png?raw=true "Underlay") 12 | 13 | ### IPsec Overlay 14 | This is the first step of the overlay to indicate the various IPSec VPN tunnels that are established over the underlay. The diagram associates the tunnel paths with the naming convention. 15 | ![Dual hub branch overlay IPsec](./DH_SD_overlay_ipsec.png?raw=true "IPsec Overlay") 16 | 17 | ### BGP Overlay 18 | This topology builds on the IPSec overlay topology to indicate how BGP settings on the hub and branch devices are selected. 19 | ![Dual hub branch overlay BGP](./DH_SD_overlay_bgp.png?raw=true "BGP Overlay") 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN demonstration configurations (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceeding 3 Ds: Define, Design, and Deploy. These configrations are some samples of SD-WAN implementations for: 4 | 5 | - Branches with no central hub or Datacenter 6 | - Single hub/DC and branches 7 | - Dual hub/DC and branches 8 | 9 | For further details on SD-WAN features and deployment methods, such as using FortiManager to manage your configuration and deployment, please see the [SD-WAN section](https://docs.fortinet.com/sdwan/7.0) of our document library. 10 | 11 | # Overview 12 | 13 | *Standalone SD-WAN* contains configuration for a branch with no central hub which. This configuration does not integrate with any other files in this repository. 14 | 15 | *Single Hub* and *Dual Hub* both have a base configuration for the Hub(s) and Branches. These config files listed below are the base configuration which more advanced features (extensions) may be added to. 16 | 17 | ## Single Hub: 18 | - single_hub_HUB1_SD-WAN_Overlay.txt 19 | - single_hub_Branch1_SD-WAN_Overlay.txt 20 | - single_hub_Branch2_SD-WAN_Overlay.txt 21 | 22 | ## Dual Hub: 23 | - dual_hub_HUB1_SD-WAN_Overlay.txt 24 | - dual_hub_HUB2_SD-WAN_Overlay.txt 25 | - dual_hub_Branch1_SD-WAN_and_Overlay.txt 26 | - dual_hub_Branch2_SD-WAN_and_Overlay.txt 27 | 28 | The extensions are designed to be added if necessary and may be combined with each other. Each addon will involve a configuration file for both the hub(s) and branches. All configuration files for a given extension must be added for the feature to work. 29 | 30 | Changes made to the base configuration may affect an extension's ability to be integrated. Changes to things such as policy ID numbers, SD-WAN rule numbers, BGP peer names, will need to be reflected in the extension configuration files as well. 31 | 32 | # How to 33 | Begin by selecting a base topology; standalone, single or dual hub. 34 | 35 | Review the topology's assumptions in the readme file and make the necessary changes to the configuration to match your deployment. 36 | 37 | Install the updated base configuration file(s) of that topology to your branch and if applicable, your hub(s). 38 | 39 | For single and dual hub topologies, you may add additional extensions by reviewing the extension readme, making the necessary changes based off the listed assumptions and installing the updated configuration. 40 | 41 | # Disclaimers 42 | 43 | These configurations are for SD-WAN and related aspects, such as policies, address objects, BGP, IPsec. This configuration alone does not provide sufficient security for a given location. Please review [FortiGate Best Practices](https://docs.fortinet.com/document/fortigate/7.0.0/best-practices/587898/getting-started) and [FortiGate Admin Guide](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/954635/getting-started) to compliment this deployment. 44 | 45 | An IP address scheme for HUB LAN, Branch LAN and IPSec is chosen which reflects the principles discussed in the complementing 4D documents; design and define. Careful consideration should be taken when changing the scheme. 46 | 47 | The WAN IP addresses are not discussed out side of the IPsec configuration on the branches (remote gateway). 48 | 49 | Underlay routing is assumed to be present. No consideration is given for hub or branches internet reachability. It is assumed that any given FortiGate has full internet connectivity and public IP addresses. Furthermore, the two WAN links are assumed to be functioning in an equal cost multi path configuration where both gateways are present in the routing table. 50 | 51 | # Table of Contents 52 | 53 | Below illustrates the directory structure. 54 | 55 | SD-WAN-Demo/ 56 | Dual Hub/ 57 | Branches/ 58 | dual_hub_Branch1_SD-WAN_Overlay.txt 59 | dual_hub_Branch2_SD-WAN_Overlay.txt 60 | readme.md 61 | Extensions/ 62 | ADVPN/ 63 | Hub/ 64 | dual_hub_HUB1_ADVPN.txt 65 | dual_hub_HUB2_ADVPN.txt 66 | readme.md 67 | Branches/ 68 | dual_hub_Branch1_ADVPN.txt 69 | dual_hub_Branch2_ADVPN.txt 70 | readme.md 71 | Adaptive FEC/ 72 | Hub/ 73 | dual_hub_HUB1_adaptive-fec.txt 74 | dual_hub_HUB2_adaptive-fec.txt 75 | readme.md 76 | Branches/ 77 | dual_hub_Branch1_adaptive-fec.txt 78 | dual_hub_Branch2_adaptive-fec.txt 79 | readme.md 80 | BGP Neighbor Config for Symmetric Route Steering from Datacenter/ 81 | Hub/ 82 | dual_hub_HUB1_bgp-route-steering.txt 83 | dual_hub_HUB2_bgp-route-steering.txt 84 | readme.md 85 | Branches/ 86 | dual_hub_Branch1_bgp-route-steering.txt 87 | dual_hub_Branch2_bgp-route-steering.txt 88 | readme.md 89 | SaaS Remote Internet Breakout/ 90 | Hub/ 91 | dual_hub_HUB1_remote-internet-breakout.txt 92 | dual_hub_HUB2_remote-internet-breakout.txt 93 | readme.md 94 | Branches/ 95 | dual_hub_Branch1_remote-internet-breakout.txt 96 | dual_hub_Branch2_remote-internet-breakout.txt 97 | readme.md 98 | Hub/ 99 | dual_hub_HUB1_SD-WAN_Overlay.txt 100 | dual_hub_HUB2_SD-WAN_Overlay.txt 101 | readme.md 102 | DH_SD_overlay_bgp.drawio 103 | DH_SD_overlay_bgp.png 104 | DH_SD_overlay_ipsec.drawio 105 | DH_SD_overlay_ipsec.png 106 | DH_SD_underlay.drawio 107 | DH_SD_underlay.png 108 | Single Hub/ 109 | Branches/ 110 | single_hub_Branch1_SD-WAN_Overlay.txt 111 | single_hub_Branch2_SD-WAN_Overlay.txt 112 | readme.md 113 | Extensions/ 114 | ADVPN/ 115 | Hub/ 116 | single_hub_HUB1_ADVPN.txt 117 | readme.md 118 | Branches/ 119 | single_hub_Branch1_ADVPN.txt 120 | single_hub_Branch2_ADVPN.txt 121 | readme.md 122 | Adaptive FEC/ 123 | Hub/ 124 | single_hub_HUB1_adaptive-fec.txt 125 | readme.md 126 | Branches/ 127 | single_hub_Branch1_adaptive-fec.txt 128 | single_hub_Branch2_adaptive-fec.txt 129 | readme.md 130 | SaaS Remote Internet Breakout/ 131 | Hub/ 132 | single_hub_HUB1_remote-internet-breakout.txt 133 | readme.md 134 | Branches/ 135 | single_hub_Branch1_remote-internet-breakout.txt 136 | single_hub_Branch2_remote-internet-breakout.txt 137 | readme.md 138 | Hub/ 139 | single_hub_HUB1_SD-WAN_Overlay.txt 140 | readme.md 141 | SD_overlay_bgp.drawio 142 | SD_overlay_bgp.png 143 | SD_overlay_ipsec.drawio 144 | SD_overlay_ipsec.png 145 | SD_underlay.drawio 146 | SD_underlay.png 147 | Standalone SD-WAN/ 148 | Branch_only_underlay.drawio 149 | Branch_only_underlay.png 150 | Readme.md 151 | standalone_Branch_SD-WAN.txt 152 | Branches/ 153 | dual_hub_Branch1_adaptive-fec.txt 154 | dual_hub_Branch2_adaptive-fec.txt 155 | readme.md 156 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub with VPN overlay and BGP routing - Branches 2 | 3 | This configuration is for branches connecting back to a single hub to access internal resources. There is also a local internet breakout so the branch may access public internet resources directly. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) IPsec settings, such as phase1 proposal and PSK. 12 | 13 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 14 | 15 | 3) A health-check server is used to measure SLA. You should adjust this to better reflect your traffic of interest by defining your own performance SLA. Please see [performance SLA](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/584396/performance-sla) chapter of the FortiGate admin guide. 16 | 17 | 4) WAN2 is the less preferred link and should only be used if WAN1 does not meet SLA. 18 | This applies to the VPN connections overlaying each WAN link. If the health-check to the DC over WAN1-VPN1 fails to meet SLA, traffic may take WAN2-VPN1 to the DC. 19 | 20 | 5) The branch uses the local subnet 10.1.0.0/16. Adjust the "Branch-NET" object to match your LAN subnet. 21 | 22 | 6) The VPN dialup gateways (HUB WAN interfaces) are statically configured IP addresses that will need to be changed to match your hub's public WAN IP addresses. 23 | 7) BGP AS number is 65000 and the router ID is the loopback interface's ID: 172.16.200.x where x is unique to the branch. 24 | 25 | # Changes between branches 26 | 27 | 1) LAN subnet. 28 | 29 | 2) Loopback interface IP address. 30 | 31 | 3) BGP router ID (uses loopback address). 32 | 33 | 4) IPsec phase1-interface local-id. 34 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Branches/single_hub_Branch1_SD-WAN_Overlay.txt: -------------------------------------------------------------------------------- 1 | config firewall address 2 | edit "Branch-NET" 3 | set subnet 10.1.0.0 255.255.0.0 4 | next 5 | edit "Datacenter" 6 | set subnet 192.168.1.0 255.255.255.0 7 | next 8 | end 9 | config vpn ipsec phase1-interface 10 | edit "HUB1-VPN1" 11 | set interface "port1" 12 | set ike-version 2 13 | set peertype any 14 | set net-device enable 15 | set mode-cfg enable 16 | set proposal aes256-sha256 17 | set add-route disable 18 | set localid "Branch2" 19 | set network-overlay enable 20 | set network-id 1 21 | set remote-gw 10.198.5.2 22 | set psksecret fortinet 23 | next 24 | edit "HUB1-VPN2" 25 | set interface "port2" 26 | set ike-version 2 27 | set peertype any 28 | set net-device enable 29 | set mode-cfg enable 30 | set proposal aes256-sha256 31 | set add-route disable 32 | set localid "Branch2" 33 | set network-overlay enable 34 | set network-id 2 35 | set remote-gw 10.198.6.2 36 | set psksecret fortinet 37 | next 38 | end 39 | config vpn ipsec phase2-interface 40 | edit "HUB1-VPN1" 41 | set phase1name "HUB1-VPN1" 42 | set proposal aes256-sha256 43 | set auto-negotiate enable 44 | next 45 | edit "HUB1-VPN2" 46 | set phase1name "HUB1-VPN2" 47 | set proposal aes256-sha256 48 | set auto-negotiate enable 49 | next 50 | end 51 | 52 | config system interface 53 | edit "Spoke-Lo" 54 | set ip 172.16.200.3 255.255.255.255 55 | set allowaccess ping 56 | set type loopback 57 | set vdom "root" 58 | next 59 | end 60 | config router bgp 61 | set as 65000 62 | set router-id 172.16.200.3 63 | set ibgp-multipath enable 64 | set graceful-restart enable 65 | config neighbor 66 | edit "10.10.10.253" 67 | set advertisement-interval 1 68 | set capability-graceful-restart enable 69 | set link-down-failover enable 70 | set remote-as 65000 71 | set interface "HUB1-VPN1" 72 | set description "HUB1-VPN1" 73 | set connect-timer 10 74 | set soft-reconfiguration enable 75 | next 76 | edit "10.10.11.253" 77 | set advertisement-interval 1 78 | set capability-graceful-restart enable 79 | set link-down-failover enable 80 | set remote-as 65000 81 | set interface "HUB1-VPN2" 82 | set description "HUB1-VPN2" 83 | set connect-timer 10 84 | set soft-reconfiguration enable 85 | next 86 | end 87 | config network 88 | edit 1 89 | set prefix 10.1.3.0 255.255.255.0 90 | next 91 | end 92 | end 93 | config system sdwan 94 | set status enable 95 | config zone 96 | edit "virtual-wan-link" 97 | next 98 | edit "SASE" 99 | next 100 | edit "WAN1" 101 | next 102 | edit "WAN2" 103 | next 104 | edit "HUB1" 105 | next 106 | end 107 | config members 108 | edit 1 109 | set interface "port1" 110 | set zone "WAN1" 111 | set comment "WAN1" 112 | next 113 | edit 2 114 | set interface "port2" 115 | set zone "WAN2" 116 | set cost 10 117 | set comment "WAN2" 118 | next 119 | edit 3 120 | set interface "HUB1-VPN1" 121 | set zone "HUB1" 122 | set comment "Mapping to HUB1 through WAN1" 123 | next 124 | edit 4 125 | set interface "HUB1-VPN2" 126 | set zone "HUB1" 127 | set cost 10 128 | set comment "Mapping to HUB1 through WAN2. Cost 10 since less preferred" 129 | next 130 | end 131 | config health-check 132 | edit "Internet" 133 | set server "1.1.1.1" 134 | set failtime 3 135 | set recoverytime 3 136 | set update-static-route disable 137 | set members 1 2 138 | config sla 139 | edit 1 140 | set latency-threshold 250 141 | set jitter-threshold 55 142 | set packetloss-threshold 1 143 | next 144 | end 145 | next 146 | edit "HUB1_HC" 147 | set server "172.16.100.1" 148 | set failtime 3 149 | set update-static-route disable 150 | set members 3 4 151 | config sla 152 | edit 1 153 | set latency-threshold 125 154 | set jitter-threshold 55 155 | set packetloss-threshold 1 156 | next 157 | end 158 | next 159 | end 160 | config service 161 | edit 2 162 | set name "Branch_to_DC1" 163 | set mode sla 164 | set dst "Datacenter" 165 | set src "Branch-NET" 166 | config sla 167 | edit "HUB1_HC" 168 | set id 1 169 | end 170 | set priority-members 3 4 171 | next 172 | edit 1 173 | set name "WAN1-Primary_WAN2-Backup" 174 | set mode sla 175 | set dst "all" 176 | set src "Branch-NET" 177 | config sla 178 | edit "Internet" 179 | set id 1 180 | next 181 | end 182 | set priority-members 1 2 183 | next 184 | end 185 | end 186 | 187 | config firewall policy 188 | edit 1 189 | set name "Local Internet Breakout" 190 | set srcintf "port3" 191 | set dstintf "WAN1" "WAN2" 192 | set action accept 193 | set srcaddr "Branch-NET" 194 | set dstaddr "all" 195 | set schedule "always" 196 | set service "ALL" 197 | set logtraffic all 198 | set nat enable 199 | next 200 | edit 2 201 | set name "Branch to Datacenter" 202 | set srcintf "port3" 203 | set dstintf "HUB1" 204 | set action accept 205 | set srcaddr "Branch-NET" 206 | set dstaddr "Datacenter" 207 | set schedule "always" 208 | set service "ALL" 209 | set logtraffic all 210 | next 211 | end 212 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Branches/single_hub_Branch2_SD-WAN_Overlay.txt: -------------------------------------------------------------------------------- 1 | config firewall address 2 | edit "Branch-NET" 3 | set subnet 10.1.0.0 255.255.0.0 4 | next 5 | edit "Datacenter" 6 | set subnet 192.168.1.0 255.255.255.0 7 | next 8 | end 9 | 10 | config system sdwan 11 | set status enable 12 | config zone 13 | edit "virtual-wan-link" 14 | next 15 | edit "SASE" 16 | next 17 | edit "WAN1" 18 | next 19 | edit "WAN2" 20 | next 21 | edit "HUB1" 22 | next 23 | end 24 | config members 25 | edit 1 26 | set interface "port1" 27 | set zone "WAN1" 28 | set comment "WAN1" 29 | next 30 | edit 2 31 | set interface "port2" 32 | set zone "WAN2" 33 | set cost 10 34 | set comment "WAN2" 35 | next 36 | edit 3 37 | set interface "HUB1-VPN1" 38 | set zone "HUB1" 39 | set comment "Mapping to HUB1 through WAN1" 40 | next 41 | edit 4 42 | set interface "HUB1-VPN2" 43 | set zone "HUB1" 44 | set cost 10 45 | set comment "Mapping to HUB1 through WAN2. Cost 10 since less preferred" 46 | next 47 | end 48 | config health-check 49 | edit "Internet" 50 | set server "1.1.1.1" 51 | set failtime 3 52 | set recoverytime 3 53 | set update-static-route disable 54 | set members 1 2 55 | config sla 56 | edit 1 57 | set latency-threshold 250 58 | set jitter-threshold 55 59 | set packetloss-threshold 1 60 | next 61 | end 62 | next 63 | edit "HUB1_HC" 64 | set server "172.16.100.1" 65 | set failtime 3 66 | set update-static-route disable 67 | set members 3 4 68 | config sla 69 | edit 1 70 | set latency-threshold 125 71 | set jitter-threshold 55 72 | set packetloss-threshold 1 73 | next 74 | end 75 | next 76 | end 77 | config service 78 | edit 2 79 | set name "Branch_to_DC1" 80 | set mode sla 81 | set dst "Datacenter" 82 | set src "Branch-NET" 83 | config sla 84 | edit "HUB1_HC" 85 | set id 1 86 | end 87 | set priority-members 3 4 88 | next 89 | edit 1 90 | set name "WAN1-Primary_WAN2-Backup" 91 | set mode sla 92 | set dst "all" 93 | set src "Branch-NET" 94 | config sla 95 | edit "Internet" 96 | set id 1 97 | next 98 | end 99 | set priority-members 1 2 100 | next 101 | end 102 | end 103 | 104 | 105 | config firewall policy 106 | edit 1 107 | set name "Local Internet Breakout" 108 | set srcintf "port3" 109 | set dstintf "WAN1" "WAN2" 110 | set action accept 111 | set srcaddr "Branch-NET" 112 | set dstaddr "all" 113 | set schedule "always" 114 | set service "ALL" 115 | set logtraffic all 116 | set nat enable 117 | next 118 | edit 2 119 | set name "Branch to Datacenter" 120 | set srcintf "port3" 121 | set dstintf "HUB1" 122 | set action accept 123 | set srcaddr "Branch-NET" 124 | set dstaddr "Datacenter" 125 | set schedule "always" 126 | set service "ALL" 127 | set logtraffic all 128 | next 129 | end 130 | 131 | config vpn ipsec phase1-interface 132 | edit "HUB1-VPN1" 133 | set interface "port1" 134 | set ike-version 2 135 | set peertype any 136 | set net-device enable 137 | set mode-cfg enable 138 | set proposal aes256-sha256 139 | set add-route disable 140 | set localid "Branch1" 141 | set network-overlay enable 142 | set network-id 1 143 | set remote-gw 10.198.5.2 144 | set psksecret fortinet 145 | next 146 | edit "HUB1-VPN2" 147 | set interface "port2" 148 | set ike-version 2 149 | set peertype any 150 | set net-device enable 151 | set mode-cfg enable 152 | set proposal aes256-sha256 153 | set add-route disable 154 | set localid "Branch1" 155 | set network-overlay enable 156 | set network-id 2 157 | set remote-gw 10.198.6.2 158 | set psksecret fortinet 159 | next 160 | end 161 | config vpn ipsec phase2-interface 162 | edit "HUB1-VPN1" 163 | set phase1name "HUB1-VPN1" 164 | set proposal aes256-sha256 165 | set auto-negotiate enable 166 | next 167 | edit "HUB1-VPN2" 168 | set phase1name "HUB1-VPN2" 169 | set proposal aes256-sha256 170 | set auto-negotiate enable 171 | next 172 | end 173 | 174 | config system interface 175 | edit "Spoke-Lo" 176 | set ip 172.16.200.4 255.255.255.255 177 | set allowaccess ping 178 | set type loopback 179 | set vdom "root" 180 | next 181 | end 182 | config router bgp 183 | set as 65000 184 | set router-id 172.16.200.4 185 | set ibgp-multipath enable 186 | set graceful-restart enable 187 | config neighbor 188 | edit "10.10.10.253" 189 | set advertisement-interval 1 190 | set capability-graceful-restart enable 191 | set link-down-failover enable 192 | set remote-as 65000 193 | set interface "HUB1-VPN1" 194 | set description "HUB1-VPN1" 195 | set connect-timer 10 196 | set soft-reconfiguration enable 197 | next 198 | edit "10.10.11.253" 199 | set advertisement-interval 1 200 | set capability-graceful-restart enable 201 | set link-down-failover enable 202 | set remote-as 65000 203 | set interface "HUB1-VPN2" 204 | set description "HUB1-VPN2" 205 | set connect-timer 10 206 | set soft-reconfiguration enable 207 | next 208 | end 209 | config network 210 | edit 1 211 | set prefix 10.1.4.0 255.255.255.0 212 | next 213 | end 214 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub ADVPN - Branches 2 | 3 | This configuration is to enable ADVPN on the branches. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The spoke overlays are setup as ADVPN receivers. This includes IPsec phase 1 and BGP neighbor settings. 6 | 7 | SD-WAN rules are modified to steer Branch-NET traffic across the ADVPN dynamic tunnels. 8 | 9 | Firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) Firewall policy ID 3 is created and must not previously exist. 18 | 19 | 20 | # Changes between branches 21 | 22 | None. 23 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/Branches/single_hub_Branch1_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | next 5 | edit "HUB1-VPN2" 6 | set auto-discovery-receiver enable 7 | next 8 | end 9 | 10 | 11 | config router bgp 12 | config neighbor 13 | edit "10.10.10.253" 14 | set additional-path receive 15 | next 16 | edit "10.10.11.253" 17 | set additional-path receive 18 | next 19 | end 20 | end 21 | 22 | config system sdwan 23 | config service 24 | edit 2 25 | set dst "Datacenter" "Branch-NET" 26 | next 27 | end 28 | end 29 | 30 | config firewall policy 31 | edit 3 32 | set name "Remote Branches" 33 | set srcintf "HUB1" 34 | set dstintf "port3" 35 | set action accept 36 | set srcaddr "Branch-NET" 37 | set dstaddr "Branch-NET" 38 | set schedule "always" 39 | set service "ALL" 40 | set logtraffic all 41 | set comments "Branch to Branch Policy" 42 | next 43 | end 44 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/Branches/single_hub_Branch2_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | next 5 | edit "HUB1-VPN2" 6 | set auto-discovery-receiver enable 7 | next 8 | end 9 | 10 | 11 | config router bgp 12 | config neighbor 13 | edit "10.10.10.253" 14 | set additional-path receive 15 | next 16 | edit "10.10.11.253" 17 | set additional-path receive 18 | next 19 | end 20 | end 21 | 22 | config system sdwan 23 | config service 24 | edit 2 25 | set dst "Datacenter" "Branch-NET" 26 | next 27 | end 28 | end 29 | 30 | config firewall policy 31 | edit 3 32 | set name "Remote Branches" 33 | set srcintf "HUB1" 34 | set dstintf "port3" 35 | set action accept 36 | set srcaddr "Branch-NET" 37 | set dstaddr "Branch-NET" 38 | set schedule "always" 39 | set service "ALL" 40 | set logtraffic all 41 | set comments "Branch to Branch Policy" 42 | next 43 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/HUB/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub ADVPN - HUB 2 | 3 | This configuration is to enable ADVPN on the hub. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The hub VPN overlays are set up to be an ADVPN senders. This includes IPsec phase 1 and BGP neighbor settings to allow for 4 additional paths to be sent to each of the overlays. 6 | 7 | Policy routes are created for ADVPN "stickiness". Stickyness is required to prevent private links from receiving public link shortcuts. For example if one link was a public ISP connection and the other is a private MPLS line. 8 | 9 | The firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) A firewall policy with ID 5 is created and must not previously exist. 18 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/HUB/single_hub_HUB1_ADVPN.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set auto-discovery-sender enable 4 | next 5 | edit "VPN2" 6 | set auto-discovery-sender enable 7 | next 8 | end 9 | 10 | 11 | config router bgp 12 | set additional-path enable 13 | set additional-path-select 4 14 | config neighbor-group 15 | edit "VPN1" 16 | set additional-path send 17 | next 18 | edit "VPN2" 19 | set additional-path send 20 | next 21 | end 22 | end 23 | 24 | config router policy 25 | edit 1 26 | set input-device "VPN1" 27 | set srcaddr "all" 28 | set dstaddr "all" 29 | set output-device "VPN1" 30 | next 31 | edit 2 32 | set input-device "VPN2" 33 | set srcaddr "all" 34 | set dstaddr "all" 35 | set output-device "VPN2" 36 | next 37 | end 38 | 39 | 40 | config firewall policy 41 | edit 5 42 | set name "Branch to Branch" 43 | set srcintf "virtual-wan-link" 44 | set dstintf "virtual-wan-link" 45 | set action accept 46 | set srcaddr "Branch-NET" 47 | set dstaddr "Branch-NET" 48 | set schedule "always" 49 | set service "ALL" 50 | set utm-status enable 51 | set ssl-ssh-profile "certificate-inspection" 52 | set application-list "default" 53 | set logtraffic all 54 | next 55 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/ADVPN/readme.md: -------------------------------------------------------------------------------- 1 | # ADVPN General 2 | 3 | ADVPN is used to dynamically build overlay tunnels between devices in a SDWAN region. The SDWAN HUB will be the ADVPN sender that provides Branches with the necessary details to establish their own tunnels as necessary. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub adaptive forward error correction - Branches 2 | 3 | This configuration is to enable adaptive FEC on the branches. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled on the desired firewall policy. 6 | 7 | Mappings are set up with desired FEC parameters. 8 | 9 | FEC mapping is applied to IPsec phase 1 tunnel settings and FEC is enabled on ingress and egress. 10 | 11 | A health check server is selected to monitor packet loss on a given overlay. 12 | 13 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 14 | 15 | # Assumptions 16 | 17 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 18 | 19 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. 20 | 21 | 2) Thresholds and settings for FEC should be tuned to the application and business needs. In this configuration, FEC parity bits were adjusted to be more aggressive during higher packet loss situations than the defaults. 22 | 23 | 24 | # Changes between branches 25 | 26 | None. 27 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/Branches/single_hub_Branch1_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" 12 | set action accept 13 | set srcaddr "Branch-NET" 14 | set dstaddr "Datacenter" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | set comments "" 20 | next 21 | move 4 before 2 22 | end 23 | 24 | config vpn ipsec fec 25 | edit "dc_fec" 26 | config mappings 27 | edit 1 28 | set base 8 29 | set redundant 2 30 | set packet-loss-threshold 5 31 | next 32 | edit 2 33 | set base 5 34 | set redundant 2 35 | set packet-loss-threshold 10 36 | next 37 | end 38 | next 39 | end 40 | 41 | config vpn ipsec phase1-interface 42 | edit "HUB1-VPN1" 43 | set fec-egress enable 44 | set fec-ingress enable 45 | set fec-mapping-profile dc_fec 46 | set fec-health-check HUB1_HC 47 | next 48 | edit "HUB1-VPN2" 49 | set fec-egress enable 50 | set fec-ingress enable 51 | set fec-mapping-profile dc_fec 52 | set fec-health-check HUB1_HC 53 | next 54 | end 55 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/Branches/single_hub_Branch2_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" 12 | set action accept 13 | set srcaddr "Branch-NET" 14 | set dstaddr "Datacenter" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | set comments "" 20 | next 21 | move 4 before 2 22 | end 23 | 24 | config vpn ipsec fec 25 | edit "dc_fec" 26 | config mappings 27 | edit 1 28 | set base 8 29 | set redundant 2 30 | set packet-loss-threshold 5 31 | next 32 | edit 2 33 | set base 5 34 | set redundant 2 35 | set packet-loss-threshold 10 36 | next 37 | end 38 | end 39 | 40 | config vpn ipsec phase1-interface 41 | edit "HUB1-VPN1" 42 | set fec-egress enable 43 | set fec-ingress enable 44 | set fec-mapping-profile dc_fec 45 | set fec-health-check HUB1_HC 46 | next 47 | edit "HUB1-VPN2" 48 | set fec-egress enable 49 | set fec-ingress enable 50 | set fec-mapping-profile dc_fec 51 | set fec-health-check HUB1_HC 52 | next 53 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/HUB/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub adaptive forward error correction - HUB 2 | 3 | This configuration is to enable adaptive FEC on the hub. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled in IPsec phase 1 settings of each overlay. 6 | 7 | FED is enabled on desired firewall policies. 8 | 9 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. 16 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/HUB/single_hub_HUB1_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set fec-egress enable 4 | set fec-ingress enable 5 | next 6 | edit "VPN2" 7 | set fec-egress enable 8 | set fec-ingress enable 9 | next 10 | end 11 | 12 | config firewall service custom 13 | edit "CustomApp-5000" 14 | set udp-portrange 5000 15 | next 16 | end 17 | 18 | config firewall policy 19 | edit 6 20 | set status enable 21 | set srcintf "virtual-wan-link" 22 | set dstintf "port3" 23 | set action accept 24 | set srcaddr "Branch-NET" 25 | set dstaddr "Datacenter" 26 | set schedule "always" 27 | set service "CustomApp-5000" 28 | set fec enable 29 | next 30 | move 6 before 2 31 | end 32 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/Adaptive FEC/readme.md: -------------------------------------------------------------------------------- 1 | # Adaptive FEC General 2 | 3 | Adaptive Forward Error Correction (FEC) is a WAN remediation technique that dynamically correct packet loss based on the detected packet loss on the link. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub BGP route steering - Branches 2 | 3 | This configuration is to enable BGP route steering on a branch. As SD-WAN intelligence affects which WAN interface is used, BGP can be leveraged to communicate these decisions to it's neighbors. 4 | 5 | The hub health check will monitor the performance of our datacenter overlay. If an SLA fails or does not meet its minimum requirements, it will trigger its BGP neighbor to send a different route map. 6 | 7 | Under normal conditions (SLA are passing), the 'routemap-out-preferable' will be sent out to the HUB BGP neighbor. This routemap is our preferred routemap that matches our LAN addresses with a specified community # (in this example 1 for VPN 1 interfaces or 2 for VPN 2 interfaces). 8 | 9 | An SLA failure will remove the 'routemap-out-preferable' option and use the default routemap-out option. This default routemap tags LAN traffic with a community 5 to indicate it is out of SLA for this given interface. 10 | 11 | For more details on controlling traffic with BGP route steering, please see the [controlling traffic with BGP route mapping](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/256748/controlling-traffic-with-bgp-route-mapping-and-service-rules) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) The hub will receive bgp community strings of 65000:1, 65000:2, and 65000:5. 18 | 19 | 20 | # Changes between branches 21 | 22 | The router access-list uses the LAN subnet of a given site for the prefix. 23 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/Branches/single_hub_Branch1_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router access-list 2 | edit "LAN1" 3 | config rule 4 | edit 1 5 | set prefix 10.1.3.0 255.255.255.0 6 | next 7 | end 8 | next 9 | end 10 | 11 | 12 | config router route-map 13 | edit "Primary" 14 | config rule 15 | edit 1 16 | set match-ip-address "LAN1" 17 | set set-community "65000:1" 18 | next 19 | end 20 | next 21 | edit "Secondary" 22 | config rule 23 | edit 1 24 | set match-ip-address "LAN1" 25 | set set-community "65000:2" 26 | next 27 | end 28 | next 29 | edit "Out-of-SLA" 30 | config rule 31 | edit 1 32 | set match-ip-address "LAN1" 33 | set set-community "65000:5" 34 | next 35 | end 36 | next 37 | end 38 | 39 | config router bgp 40 | config neighbor 41 | edit "10.10.10.253" 42 | set route-map-out "Out-of-SLA" 43 | set route-map-out-preferable "Primary" 44 | next 45 | edit "10.10.11.253" 46 | set route-map-out "Out-of-SLA" 47 | set route-map-out-preferable "Secondary" 48 | next 49 | end 50 | end 51 | 52 | 53 | config system sdwan 54 | config neighbor 55 | edit "10.10.10.253" 56 | set member 1 57 | set health-check "HUB1_HC" 58 | set sla-id 1 59 | next 60 | edit "10.10.11.253" 61 | set member 2 62 | set health-check "HUB1_HC" 63 | set sla-id 1 64 | next 65 | end 66 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/Branches/single_hub_Branch2_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router access-list 2 | edit "LAN1" 3 | config rule 4 | edit 1 5 | set prefix 10.1.4.0 255.255.255.0 6 | next 7 | end 8 | next 9 | end 10 | 11 | 12 | config router route-map 13 | edit "Primary" 14 | config rule 15 | edit 1 16 | set match-ip-address "LAN1" 17 | set set-community "65000:1" 18 | next 19 | end 20 | next 21 | edit "Secondary" 22 | config rule 23 | edit 1 24 | set match-ip-address "LAN1" 25 | set set-community "65000:2" 26 | next 27 | end 28 | next 29 | edit "Out-of-SLA" 30 | config rule 31 | edit 1 32 | set match-ip-address "LAN1" 33 | set set-community "65000:5" 34 | next 35 | end 36 | next 37 | end 38 | 39 | config router bgp 40 | config neighbor 41 | edit "10.10.10.253" 42 | set route-map-out "Out-of-SLA" 43 | set route-map-out-preferable "Primary" 44 | next 45 | edit "10.10.11.253" 46 | set route-map-out "Out-of-SLA" 47 | set route-map-out-preferable "Secondary" 48 | next 49 | end 50 | end 51 | 52 | 53 | config system sdwan 54 | config neighbor 55 | edit "10.10.10.253" 56 | set member 1 57 | set health-check "HUB1_HC" 58 | set sla-id 1 59 | next 60 | edit "10.10.11.253" 61 | set member 2 62 | set health-check "HUB1_HC" 63 | set sla-id 1 64 | next 65 | end 66 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/HUB/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub BGP route steering - HUB 2 | 3 | This configuration is to enable BGP route steering on the hub. As SD-WAN intelligence affects which WAN interface is used, BGP can be leveraged to communicate these decisions to it's neighbors. 4 | 5 | The HUB has a routemap on incoming neighbors that matches the Branch community # with a specified route-tag. 6 | -Community 1 or 2 (SLA good) are mapped to route-tag 1 & 2 respectively. 7 | Community 5 (out of SLA) is mapped to a route-tag 5. 8 | 9 | SD-WAN rules on the HUB are configured to map route-tag 1 with VPN 1 and route-tag 2 with VPN 2. Under normal conditions, Branch traffic will flow through these interfaces (VPN1 first, VPN2 second based on order). 10 | 11 | Upon SLA failure, the incoming community 5 does not match a given rule and goes to the default routing table. 12 | 13 | For more details on controlling traffic with BGP route steering, please see the [controlling traffic with BGP route mapping](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/256748/controlling-traffic-with-bgp-route-mapping-and-service-rules) chapter of the FortiGate admin guide. 14 | 15 | # Assumptions 16 | 17 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 18 | 19 | 1) The branches will send bgp community strings of 65000:1, 65000:2, and 65000:5. 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/HUB/single_hub_HUB1_bgp-route-steering.txt: -------------------------------------------------------------------------------- 1 | config router community-list 2 | edit "65000:1" 3 | config rule 4 | edit 1 5 | set action permit 6 | set match "65000:1" 7 | next 8 | end 9 | next 10 | edit "65000:5" 11 | config rule 12 | edit 1 13 | set action permit 14 | set match "65000:5" 15 | next 16 | end 17 | next 18 | edit "65000:2" 19 | config rule 20 | edit 1 21 | set action permit 22 | set match "65000:2" 23 | next 24 | end 25 | next 26 | end 27 | 28 | config router route-map 29 | edit "VPN1-RouteMap_IN" 30 | config rule 31 | edit 3 32 | set match-community "65000:1" 33 | set set-route-tag 1 34 | next 35 | edit 5 36 | set match-community "65000:5" 37 | set set-aspath "65000" 38 | set set-route-tag 5 39 | next 40 | edit 4 41 | set match-community "65000:2" 42 | set set-route-tag 2 43 | next 44 | end 45 | next 46 | edit "VPN2-RouteMap_IN" 47 | config rule 48 | edit 4 49 | set match-community "65000:2" 50 | set set-route-tag 2 51 | next 52 | edit 5 53 | set match-community "65000:5" 54 | set set-route-tag 5 55 | next 56 | edit 3 57 | set match-community "65000:1" 58 | set set-route-tag 1 59 | next 60 | end 61 | next 62 | end 63 | 64 | config system sdwan 65 | config service 66 | edit 1 67 | set name "ToBranches_VPN1" 68 | set route-tag 1 69 | set src "all" 70 | set priority-members 1 71 | next 72 | edit 2 73 | set name "ToBranches_VPN2" 74 | set route-tag 2 75 | set src "all" 76 | set priority-members 2 77 | next 78 | end 79 | end 80 | 81 | config router bgp 82 | config neighbor-group 83 | edit "VPN1" 84 | set route-map-in "VPN1-RouteMap_IN" 85 | next 86 | edit "VPN2" 87 | set route-map-in "VPN2-RouteMap_IN" 88 | next 89 | end 90 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/BGP route steering/readme.md: -------------------------------------------------------------------------------- 1 | # BGP route steering - Overview 2 | 3 | In this configuration, we will use SD-WAN and BGP to signal the optimal interface to use for traffic destined back to the spoke. Interfaces that do not meet our pre-defined SLA will be marked as "out-of-sla" to other devices in the SD-WAN network. 4 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub Saas Remote Internet Breakout - Branches 2 | 3 | This configuration is to enable SaaS Remote Internet Breakout on the branches. This allows branches to access cloud applications through the Hub. 4 | 5 | The Spoke will route only Ringcentral VoIP traffic through hub overlays. 6 | 7 | The SDWAN rule is set to 'set gateway enable' to override the route table and send traffic that matches this application through the hub. 8 | 9 | # Assumptions 10 | 11 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 12 | 13 | 1) The application 'Ring Central' is selected to illustrate this feature. You should select applications specific to your business. 14 | 15 | 16 | # Changes between branches 17 | 18 | None. 19 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/Branches/single_hub_Branch1_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config application group 2 | edit "Cloud_Applications" 3 | set comment 'RingCentral VoIP Application' 4 | set type application 5 | set application 41475 6 | next 7 | end 8 | 9 | 10 | config sys sdwan 11 | config service 12 | edit 3 13 | set name "Cloud_Applications" 14 | set mode sla 15 | set src "Branch-NET" 16 | set internet-service enable 17 | set internet-service-app-ctrl-group "Cloud_Applications" 18 | config sla 19 | edit "HUB1_HC" 20 | set id 1 21 | next 22 | end 23 | set priority-members 3 4 24 | set gateway enable 25 | next 26 | move 3 before 2 27 | end 28 | end 29 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/Branches/single_hub_Branch2_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config application group 2 | edit "Cloud_Applications" 3 | set comment 'RingCentral VoIP Application' 4 | set type application 5 | set application 41475 6 | next 7 | end 8 | 9 | 10 | config sys sdwan 11 | config service 12 | edit 3 13 | set name "Cloud_Applications" 14 | set mode sla 15 | set src "Branch-NET" 16 | set internet-service enable 17 | set internet-service-app-ctrl-group "Cloud_Applications" 18 | config sla 19 | edit "HUB1_HC" 20 | set id 1 21 | next 22 | end 23 | set priority-members 3 4 24 | set gateway enable 25 | next 26 | move 3 before 2 27 | end 28 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/HUB/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub Saas Remote Internet Breakout - Hub 2 | 3 | This configuration is to enable SaaS Remote Internet Breakout on the hub. This allows branches to access cloud applications through the Hub. 4 | 5 | The only config necessary on the HUB is to allow overlay traffic to the internet. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) Policy ID 4 is created, and so must not exist prior to adding this configuration file. 12 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/HUB/single_hub_HUB1_remote-internet-breakout.txt: -------------------------------------------------------------------------------- 1 | config firewall policy 2 | edit 4 3 | set name "Remote-Internet-Breakout" 4 | set srcintf "virtual-wan-link" 5 | set dstintf "port1" 6 | set action accept 7 | set srcaddr "all" 8 | set dstaddr "all" 9 | set schedule "always" 10 | set service "ALL" 11 | set logtraffic all 12 | set nat enable 13 | next 14 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Extensions/SaaS Remote Internet Breakout/readme.md: -------------------------------------------------------------------------------- 1 | # Remote Internet Breakout General 2 | 3 | In this scenario, branch traffic needs to route a SaaS application (in this case, RingCentral VoIP) through the HUB. The config can be modified to include any traffic type or application in your environment. 4 | 5 | Example: RingCentral (VoIP) may need local internet breakout at the branch. However, a private MPLS circuit is also available with internet accessible via the HUB. In this config, we route RingCentral traffic via the overlay to the HUB for remote internet break out. **** 6 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN single hub with VPN overlay and BGP routing - HUB 2 | 3 | This configuration is for a single hub functioning as an access point for datacenter resources. As such, there is no consideration for traffic initiated from the hub. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | The datacenter's subnet of 192.168.1.0/24 is learned through an eBGP peering with 172.16.1.1. This eBGP route to 192.168.1.0/24 is automatically distributed among all iBGP neighbors in the same Autonomous System without any further configuration. 8 | 9 | The network 172.16.100.1/32 is distributed so the iBGP neighbors know of the loopback interface. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) IPsec settings, such as phase1 proposal and PSK. 16 | 17 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 18 | 19 | 3) The datacenter uses the local subnet 192.168.1.0/24. Adjust the "Datacenter" object to match your LAN subnet. 20 | 21 | 4) If you are not utilizing eBGP peering for your Datacenter LAN, you can advertise the connected LAN segment the same way the branches do in BGP: 22 | 23 | 24 | config router bgp 25 | config network 26 | edit 1 27 | set prefix 192.168.1.0 255.255.255.0 28 | next 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/Hub/single_hub_HUB1_SD-WAN_Overlay.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set type dynamic 4 | set interface "port1" 5 | set ike-version 2 6 | set peertype any 7 | set net-device disable 8 | set mode-cfg enable 9 | set proposal aes256-sha256 10 | set add-route disable 11 | set dpd on-idle 12 | set network-overlay enable 13 | set network-id 1 14 | set ipv4-start-ip 10.10.10.1 15 | set ipv4-end-ip 10.10.10.252 16 | set ipv4-netmask 255.255.255.0 17 | set psksecret fortinet 18 | set dpd-retryinterval 60 19 | next 20 | edit "VPN2" 21 | set type dynamic 22 | set interface "port2" 23 | set ike-version 2 24 | set peertype any 25 | set net-device disable 26 | set mode-cfg enable 27 | set proposal aes256-sha256 28 | set add-route disable 29 | set dpd on-idle 30 | set network-overlay enable 31 | set network-id 2 32 | set ipv4-start-ip 10.10.11.1 33 | set ipv4-end-ip 10.10.11.252 34 | set ipv4-netmask 255.255.255.0 35 | set psksecret fortinet 36 | set dpd-retryinterval 60 37 | next 38 | end 39 | config vpn ipsec phase2-interface 40 | edit "VPN1" 41 | set phase1name "VPN1" 42 | set proposal aes256-sha256 43 | next 44 | edit "VPN2" 45 | set phase1name "VPN2" 46 | set proposal aes256-sha256 47 | next 48 | end 49 | 50 | config system interface 51 | edit "HUB1-Lo" 52 | set vdom "root" 53 | set ip 172.16.100.1 255.255.255.255 54 | set allowaccess ping 55 | set type loopback 56 | next 57 | edit "VPN1" 58 | set vdom "root" 59 | set ip 10.10.10.253 255.255.255.255 60 | set allowaccess ping 61 | set remote-ip 10.10.10.254 255.255.255.0 62 | set interface "port1" 63 | next 64 | edit "VPN2" 65 | set vdom "root" 66 | set ip 10.10.11.253 255.255.255.255 67 | set allowaccess ping 68 | set remote-ip 10.10.11.254 255.255.255.0 69 | set interface "port2" 70 | next 71 | end 72 | 73 | 74 | 75 | config router bgp 76 | set as 65000 77 | set router-id 172.16.100.1 78 | set ibgp-multipath enable 79 | set graceful-restart enable 80 | config neighbor 81 | edit "172.16.1.1" 82 | set remote-as 65100 83 | next 84 | end 85 | config neighbor-group 86 | edit "VPN1" 87 | set capability-graceful-restart enable 88 | set link-down-failover enable 89 | set next-hop-self enable 90 | set remote-as 65000 91 | set route-reflector-client enable 92 | set soft-reconfiguration enable 93 | next 94 | edit "VPN2" 95 | set capability-graceful-restart enable 96 | set link-down-failover enable 97 | set next-hop-self enable 98 | set remote-as 65000 99 | set route-reflector-client enable 100 | set soft-reconfiguration enable 101 | 102 | next 103 | end 104 | config neighbor-range 105 | edit 1 106 | set prefix 10.10.10.0 255.255.255.0 107 | set neighbor-group "VPN1" 108 | next 109 | edit 2 110 | set prefix 10.10.11.0 255.255.255.0 111 | set neighbor-group "VPN2" 112 | next 113 | end 114 | config network 115 | edit 1 116 | set prefix 172.16.1.1 255.255.255.255 117 | next 118 | end 119 | end 120 | 121 | config firewall address 122 | edit "Datacenter" 123 | set subnet 192.168.1.0 255.255.255.0 124 | next 125 | edit "Branch-NET" 126 | set subnet 10.1.0.0 255.255.0.0 127 | next 128 | edit "Overlay_Tunnels" 129 | set subnet 10.10.0.0 255.255.0.0 130 | next 131 | end 132 | 133 | config system sdwan 134 | set status enable 135 | config members 136 | edit 1 137 | set interface "VPN1" 138 | set comment "Mapping for VPN1 dialup tunnels" 139 | next 140 | edit 2 141 | set interface "VPN2" 142 | set comment "Mapping for VPN2 dialup tunnels" 143 | next 144 | end 145 | end 146 | 147 | 148 | 149 | config firewall policy 150 | edit 1 151 | set name "SLA-HealthCheck" 152 | set srcintf "virtual-wan-link" 153 | set dstintf "HUB1-Lo" 154 | set action accept 155 | set srcaddr "Overlay_Tunnels" 156 | set dstaddr "all" 157 | set schedule "always" 158 | set service "ALL_ICMP" 159 | set logtraffic all 160 | next 161 | edit 2 162 | set name "Branch to Datacenter" 163 | set srcintf "virtual-wan-link" 164 | set dstintf "port3" 165 | set action accept 166 | set srcaddr "Branch-NET" 167 | set dstaddr "Datacenter" 168 | set schedule "always" 169 | set service "ALL" 170 | set tcp-session-without-syn all 171 | set logtraffic all 172 | next 173 | edit 3 174 | set name "Datacenter to Branch" 175 | set srcintf "port3" 176 | set dstintf "virtual-wan-link" 177 | set action accept 178 | set srcaddr "Datacenter" 179 | set dstaddr "Branch-NET" 180 | set schedule "always" 181 | set service "ALL" 182 | set logtraffic all 183 | next 184 | end 185 | 186 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/SD_overlay_bgp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Single hub/SD_overlay_bgp.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/SD_overlay_ipsec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Single hub/SD_overlay_ipsec.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/SD_underlay.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Single hub/SD_underlay.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Single hub/readme.md: -------------------------------------------------------------------------------- 1 | # SD-WAN Single Hub 2 | 3 | This directory contains configuration to enable SD-WAN for a Hub and 2 spokes. Additionally, 4 extensions to SD-WAN are included to optinally enhance your SD-WAN deployment. 4 | 5 | In addition to the configuration files, there are topology diagrams provided in .png format, and .drawio format should you wish to edit or build upon the given topology. 6 | 7 | # Topology 8 | 9 | ### Underlay 10 | This diagram provides the physical ports used by the topologies, as well as some key IP addresses and networks. 11 | ![Single hub branch underlay](./SD_underlay.png?raw=true "Underlay") 12 | 13 | ### IPsec Overlay 14 | This is the first step of the overlay to indicate the various IPSec VPN tunnels that are established over the underlay. The diagram associates the tunnel paths with the naming convention. 15 | ![Single hub branch overlay IPsec](./SD_overlay_ipsec.png?raw=true "IPsec Overlay") 16 | 17 | ### BGP Overlay 18 | This topology builds on the IPSec overlay topology to indicate how BGP settings on the hub and branch devices are selected. 19 | ![Single hub branch overlay BGP](./SD_overlay_bgp.png?raw=true "BGP Overlay") 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Standalone SD-WAN/Branch_only_underlay.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.0/Standalone SD-WAN/Branch_only_underlay.png -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Standalone SD-WAN/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN Underlay only 2 | 3 | This configuration is for a branch location that wishes to apply some WAN edge intelligence to control how outbound traffic egresses the local area network when destined for the public internet. There are many rules available to help the FortiGate direct the traffic. This example highlights a primary and backup WAN link scenario, where the primary should be used exclusively unless it fails to meet the defined SLA. When that happens, traffic is directed to the backup WAN connection. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 12 | 13 | 2) This branch uses the local subnet 10.1.0.0/24. Adjust the "Branch-NET" object to match your LAN subnet. 14 | 15 | 3) A health-check server is used to measure SLA. You should adjust this to better reflect your traffic of interest by defining your own performance SLA. Please see the [performance SLA](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/584396/performance-sla) chapter of the FortiGate admin guide. 16 | 17 | # Topology 18 | ### Underlay 19 | ![Standalone branch underlay](./Branch_only_underlay.png?raw=true "Underlay") 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.0/Standalone SD-WAN/standalone_Branch_SD-WAN.txt: -------------------------------------------------------------------------------- 1 | config firewall address 2 | edit "Branch-NET" 3 | set subnet 10.1.0.0 255.255.0.0 4 | next 5 | end 6 | 7 | config system sdwan 8 | set status enable 9 | config zone 10 | edit "virtual-wan-link" 11 | next 12 | edit "SASE" 13 | next 14 | edit "WAN1" 15 | next 16 | edit "WAN2" 17 | next 18 | end 19 | config members 20 | edit 1 21 | set interface "port1" 22 | set zone "WAN1" 23 | set comment "WAN1" 24 | next 25 | edit 2 26 | set interface "port2" 27 | set zone "WAN2" 28 | set cost 10 29 | set comment "WAN2" 30 | next 31 | end 32 | config health-check 33 | edit "Internet" 34 | set server "1.1.1.1" 35 | set failtime 3 36 | set recoverytime 3 37 | set update-static-route disable 38 | set members 1 2 39 | config sla 40 | edit 1 41 | set latency-threshold 250 42 | set jitter-threshold 55 43 | set packetloss-threshold 1 44 | next 45 | end 46 | next 47 | end 48 | config service 49 | edit 1 50 | set name "WAN1-Primary_WAN2-Backup" 51 | set mode sla 52 | set dst "all" 53 | set src "Branch-NET" 54 | config sla 55 | edit "Internet" 56 | set id 1 57 | next 58 | end 59 | set priority-members 1 2 60 | next 61 | end 62 | end 63 | 64 | 65 | config firewall policy 66 | edit 1 67 | set name "Local Internet Breakout" 68 | set srcintf "port3" 69 | set dstintf "WAN1" "WAN2" 70 | set action accept 71 | set srcaddr "Branch-NET" 72 | set dstaddr "all" 73 | set schedule "always" 74 | set service "ALL" 75 | set logtraffic all 76 | set nat enable 77 | next 78 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing 7.4 - Branches 2 | 3 | This configuration is for branches connecting back to dual hubs to access internal resources. There are three local internet breakout rules to steer important traffic over the best link as well as non-critical out the less preferred link. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) IPsec settings, such as phase1 proposal and PSK. 12 | 13 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 14 | 15 | 3) A health-check server is used to measure SLA. You should adjust this to better reflect your traffic of interest by defining your own performance SLA. Please see the [performance SLA](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/584396/performance-sla) chapter of the FortiGate admin guide. 16 | 17 | 4) WAN2 is the less preferred link and should only be used if WAN1 does not meet SLA. 18 | This applies to the VPN connections overlaying each WAN link. If the health-check to the DC over WAN1-VPN1 fails to meet SLA, traffic may take WAN2-VPN1 to the DC. 19 | 20 | 5) HUB1 is the preferred HUB and should be used unless the VPN links to HUB1 are out of SLA. 21 | 22 | 6) The branches uses the local subnets 10.1.x.0/24, where x is the branch number. The "Branch-LAN" is a supernet that comprises all the branch LAN networks (10.1.0.0/16). 23 | 24 | 7) The WAN interfaces for branch devices are statically configured and will need to be adjusted to match your environment. 25 | 26 | 8) The VPN dialup gateways (HUB WAN interfaces) are statically configured IP addresses that will need to be changed to match your hub's public WAN IP addresses. 27 | 28 | 9) BGP AS number is 65000 and the router ID is the loopback interface's ID: 172.16.0.x where x is unique to the branch. 29 | 30 | # Changes between branches 31 | 32 | 1) LAN subnet. 33 | 34 | 2) Loopback interface IP address. 35 | 36 | 3) BGP router ID (uses loopback address). 37 | 38 | 4) IPsec phase1-interface local-id. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/DH_SD_IPSec_74.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.4/Dual hub/DH_SD_IPSec_74.png -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/DH_SD_Underlay_74.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.4/Dual hub/DH_SD_Underlay_74.png -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/DH_SD_bgp_74.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.4/Dual hub/DH_SD_bgp_74.png -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub ADVPN 7.4 - Branches 2 | 3 | This configuration is to enable ADVPN on the branches. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The spoke overlays are setup as ADVPN receivers. This includes IPsec phase 1 and BGP neighbor settings. 6 | 7 | SD-WAN rules are modified to steer Branch-NET traffic across the ADVPN dynamic tunnels. 8 | 9 | Firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) Firewall policy ID 3 is created and must not previously exist. 18 | 19 | 20 | # Changes between branches 21 | 22 | None. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Branches/dual_hub_Branch1_ADVPN74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | set auto-discovery-shortcuts dependent 5 | next 6 | edit "HUB1-VPN2" 7 | set auto-discovery-receiver enable 8 | set auto-discovery-shortcuts dependent 9 | next 10 | edit "HUB2-VPN1" 11 | set auto-discovery-receiver enable 12 | set auto-discovery-shortcuts dependent 13 | next 14 | edit "HUB2-VPN2" 15 | set auto-discovery-receiver enable 16 | set auto-discovery-shortcuts dependent 17 | next 18 | end 19 | config router bgp 20 | config neighbor 21 | edit "10.10.159.253" 22 | set additional-path receive 23 | next 24 | edit "10.10.191.253" 25 | set additional-path receive 26 | next 27 | edit "10.10.31.253" 28 | set additional-path receive 29 | next 30 | edit "10.10.63.253" 31 | set additional-path receive 32 | next 33 | end 34 | end 35 | config system sdwan 36 | config service 37 | edit 4 38 | set dst "Datacenter-LAN" "Branch-LAN" 39 | next 40 | end 41 | end 42 | config firewall policy 43 | edit 3 44 | set srcaddr "Datacenter-LAN" "Branch-LAN" 45 | next 46 | end 47 | 48 | 49 | -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Branches/dual_hub_Branch2_ADVPN74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "HUB1-VPN1" 3 | set auto-discovery-receiver enable 4 | set auto-discovery-shortcuts dependent 5 | next 6 | edit "HUB1-VPN2" 7 | set auto-discovery-receiver enable 8 | set auto-discovery-shortcuts dependent 9 | next 10 | edit "HUB2-VPN1" 11 | set auto-discovery-receiver enable 12 | set auto-discovery-shortcuts dependent 13 | next 14 | edit "HUB2-VPN2" 15 | set auto-discovery-receiver enable 16 | set auto-discovery-shortcuts dependent 17 | next 18 | end 19 | config router bgp 20 | config neighbor 21 | edit "10.10.159.253" 22 | set additional-path receive 23 | next 24 | edit "10.10.191.253" 25 | set additional-path receive 26 | next 27 | edit "10.10.31.253" 28 | set additional-path receive 29 | next 30 | edit "10.10.63.253" 31 | set additional-path receive 32 | next 33 | end 34 | end 35 | config system sdwan 36 | config service 37 | edit 4 38 | set dst "Datacenter-LAN" "Branch-LAN" 39 | next 40 | end 41 | end 42 | config firewall policy 43 | edit 3 44 | set srcaddr "Datacenter-LAN" "Branch-LAN" 45 | next 46 | end 47 | 48 | 49 | -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub ADVPN - HUB 2 | 3 | This configuration is to enable ADVPN on the hub. ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. 4 | 5 | The hub VPN overlays are set up to be an ADVPN senders. This includes IPsec phase 1 and BGP neighbor settings to allow for 4 additional paths to be sent to each of the overlays. 6 | 7 | Policy routes are created for ADVPN "stickiness". Stickyness is required to prevent private links from receiving public link shortcuts. For example if one link was a public ISP connection and the other is a private MPLS line. 8 | 9 | The firewall policies are modified to permit Branch to Branch traffic. 10 | 11 | For more details on ADVPN and SD-WAN, please see the [ADVPN and shortcut paths](https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/985659/advpn-and-shortcut-paths) chapter of the FortiGate admin guide. 12 | 13 | # Assumptions 14 | 15 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 16 | 17 | 1) A firewall policy with ID 3 is created and must not previously exist. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Hub/dual_hub_HUB1_ADVPN_74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set auto-discovery-sender enable 4 | next 5 | edit "VPN2" 6 | set auto-discovery-sender enable 7 | next 8 | end 9 | config router bgp 10 | set additional-path enable 11 | set additional-path-select 255 12 | config neighbor-group 13 | edit "VPN1" 14 | set additional-path send 15 | next 16 | edit "VPN2" 17 | set additional-path send 18 | next 19 | end 20 | end 21 | config router policy 22 | edit 1 23 | set input-device "VPN1" 24 | set srcaddr "all" 25 | set dstaddr "all" 26 | set output-device "VPN1" 27 | next 28 | edit 2 29 | set input-device "VPN2" 30 | set srcaddr "all" 31 | set dstaddr "all" 32 | set output-device "VPN2" 33 | next 34 | end 35 | config firewall policy 36 | edit 3 37 | set name "Branch to Branch Traffic" 38 | set srcintf "VPN" 39 | set dstintf "VPN" 40 | set action accept 41 | set srcaddr "Branch-LAN" 42 | set dstaddr "Branch-LAN" 43 | set schedule "always" 44 | set service "ALL" 45 | set logtraffic all 46 | next 47 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/Hub/dual_hub_HUB2_ADVPN_74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set auto-discovery-sender enable 4 | next 5 | edit "VPN2" 6 | set auto-discovery-sender enable 7 | next 8 | end 9 | config router bgp 10 | set additional-path enable 11 | set additional-path-select 255 12 | config neighbor-group 13 | edit "VPN1" 14 | set additional-path send 15 | next 16 | edit "VPN2" 17 | set additional-path send 18 | next 19 | end 20 | end 21 | config router policy 22 | edit 1 23 | set input-device "VPN1" 24 | set srcaddr "all" 25 | set dstaddr "all" 26 | set output-device "VPN1" 27 | next 28 | edit 2 29 | set input-device "VPN2" 30 | set srcaddr "all" 31 | set dstaddr "all" 32 | set output-device "VPN2" 33 | next 34 | end 35 | config firewall policy 36 | edit 3 37 | set name "Branch to Branch Traffic" 38 | set srcintf "VPN" 39 | set dstintf "VPN" 40 | set action accept 41 | set srcaddr "Branch-LAN" 42 | set dstaddr "Branch-LAN" 43 | set schedule "always" 44 | set service "ALL" 45 | set logtraffic all 46 | next 47 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/ADVPN/README.md: -------------------------------------------------------------------------------- 1 | # ADVPN General 2 | 3 | ADVPN is used to dynamically build overlay tunnels between devices in a SDWAN region. The SDWAN HUB will be the ADVPN sender that provides Branches with the necessary details to establish their own tunnels as necessary. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub adaptive forward error correction - Branches 2 | 3 | This configuration is to enable adaptive FEC on the branches. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled on the desired firewall policy. 6 | 7 | Mappings are set up with desired FEC parameters. 8 | 9 | FEC mapping is applied to IPsec phase 1 tunnel settings and FEC is enabled on ingress and egress. 10 | 11 | A health check server is selected to monitor packet loss on a given overlay. 12 | 13 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.4.99/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 14 | 15 | # Assumptions 16 | 17 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 18 | 19 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. 20 | 21 | 2) Thresholds and settings for FEC should be tuned to the application and business needs. In this configuration, FEC parity bits were adjusted to be more aggressive during higher packet loss situations than the defaults. 22 | 23 | 24 | # Changes between branches 25 | 26 | None. 27 | -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Branches/dual_hub_Branch1_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" "HUB2" 12 | set action accept 13 | set srcaddr "Branch-LAN" 14 | set dstaddr "Datacenter-LAN" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | next 20 | move 4 before 2 21 | end 22 | 23 | config vpn ipsec fec 24 | edit "dc_fec" 25 | config mappings 26 | edit 1 27 | set base 8 28 | set redundant 2 29 | set packet-loss-threshold 5 30 | next 31 | edit 2 32 | set base 5 33 | set redundant 2 34 | set packet-loss-threshold 10 35 | next 36 | end 37 | next 38 | end 39 | 40 | config vpn ipsec phase1-interface 41 | edit "HUB1-VPN1" 42 | set fec-egress enable 43 | set fec-ingress enable 44 | set fec-mapping-profile dc_fec 45 | set fec-health-check HUB1_HC 46 | next 47 | edit "HUB1-VPN2" 48 | set fec-egress enable 49 | set fec-ingress enable 50 | set fec-mapping-profile dc_fec 51 | set fec-health-check HUB1_HC 52 | next 53 | edit "HUB2-VPN1" 54 | set fec-egress enable 55 | set fec-ingress enable 56 | set fec-mapping-profile dc_fec 57 | set fec-health-check HUB2_HC 58 | next 59 | edit "HUB2-VPN2" 60 | set fec-egress enable 61 | set fec-ingress enable 62 | set fec-mapping-profile dc_fec 63 | set fec-health-check HUB2_HC 64 | next 65 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Branches/dual_hub_Branch2_adaptive-fec.txt: -------------------------------------------------------------------------------- 1 | config firewall service custom 2 | edit "CustomApp-5000" 3 | set udp-portrange 5000 4 | next 5 | end 6 | 7 | config firewall policy 8 | edit 4 9 | set name "FEC test" 10 | set srcintf "port3" 11 | set dstintf "HUB1" "HUB2" 12 | set action accept 13 | set srcaddr "Branch-LAN" 14 | set dstaddr "Datacenter-LAN" 15 | set schedule "always" 16 | set service "CustomApp-5000" 17 | set logtraffic all 18 | set fec enable 19 | next 20 | move 4 before 2 21 | end 22 | 23 | config vpn ipsec fec 24 | edit "dc_fec" 25 | config mappings 26 | edit 1 27 | set base 8 28 | set redundant 2 29 | set packet-loss-threshold 5 30 | next 31 | edit 2 32 | set base 5 33 | set redundant 2 34 | set packet-loss-threshold 10 35 | next 36 | end 37 | next 38 | end 39 | 40 | config vpn ipsec phase1-interface 41 | edit "HUB1-VPN1" 42 | set fec-egress enable 43 | set fec-ingress enable 44 | set fec-mapping-profile dc_fec 45 | set fec-health-check HUB1_HC 46 | next 47 | edit "HUB1-VPN2" 48 | set fec-egress enable 49 | set fec-ingress enable 50 | set fec-mapping-profile dc_fec 51 | set fec-health-check HUB1_HC 52 | next 53 | edit "HUB2-VPN1" 54 | set fec-egress enable 55 | set fec-ingress enable 56 | set fec-mapping-profile dc_fec 57 | set fec-health-check HUB2_HC 58 | next 59 | edit "HUB2-VPN2" 60 | set fec-egress enable 61 | set fec-ingress enable 62 | set fec-mapping-profile dc_fec 63 | set fec-health-check HUB2_HC 64 | next 65 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Hubs/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub adaptive forward error correction - HUBS 2 | 3 | This configuration is to enable adaptive FEC on the hub. Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of redundant packets for every y number of base packets. 4 | 5 | FEC is enabled in IPsec phase 1 settings of each overlay. 6 | 7 | FED is enabled on desired firewall policies. 8 | 9 | For more details on adaptive FEC, please see the [Adaptive Forward Error Correction](https://docs.fortinet.com/document/fortigate/7.4.99/administration-guide/169010/adaptive-forward-error-correction) chapter of the FortiGate admin guide. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) A custom application service is defined as udp port 5000. This should be adjusted to meet your business' needs. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Hubs/dual_hub_HUB1_adaptive-fec74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set fec-egress enable 4 | set fec-ingress enable 5 | next 6 | edit "VPN2" 7 | set fec-egress enable 8 | set fec-ingress enable 9 | next 10 | end 11 | 12 | config firewall service custom 13 | edit "CustomApp-5000" 14 | set udp-portrange 5000 15 | next 16 | end 17 | 18 | config firewall policy 19 | edit 6 20 | set status enable 21 | set srcintf "VPN" 22 | set dstintf "port3" 23 | set action accept 24 | set srcaddr "Branch-LAN" 25 | set dstaddr "Datacenter-LAN" 26 | set schedule "always" 27 | set service "CustomApp-5000" 28 | set fec enable 29 | next 30 | move 6 before 2 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/Hubs/dual_hub_HUB2_adaptive-fec74.txt: -------------------------------------------------------------------------------- 1 | config vpn ipsec phase1-interface 2 | edit "VPN1" 3 | set fec-egress enable 4 | set fec-ingress enable 5 | next 6 | edit "VPN2" 7 | set fec-egress enable 8 | set fec-ingress enable 9 | next 10 | end 11 | 12 | config firewall service custom 13 | edit "CustomApp-5000" 14 | set udp-portrange 5000 15 | next 16 | end 17 | 18 | config firewall policy 19 | edit 6 20 | set status enable 21 | set srcintf "VPN" 22 | set dstintf "port3" 23 | set action accept 24 | set srcaddr "Branch-LAN" 25 | set dstaddr "Datacenter-LAN" 26 | set schedule "always" 27 | set service "CustomApp-5000" 28 | set fec enable 29 | next 30 | move 6 before 2 31 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Extensions/Adaptive FEC/README.md: -------------------------------------------------------------------------------- 1 | # Adaptive FEC General 2 | 3 | Adaptive Forward Error Correction (FEC) is a WAN remediation technique that dynamically correct packet loss based on the detected packet loss on the link. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/Hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing 7.4 - HUBs 2 | 3 | This configuration is for dual hubs functioning as access points for datacenter resources. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | The datacenter's subnet of 192.168.1.0/24 is learned through an eBGP peering with 172.16.1.1, and 172.16.2.1 for Hub1 and Hub2 respectively. The eBGP route to 192.168.1.0/24 is automatically distributed among all iBGP neighbors in the same Autonomous System without any further configuration. 8 | 9 | The network 172.16.255.253/32 and 172.16.255.252 are distributed so the iBGP neighbors know of the hubs loopback interfaces. 10 | 11 | # Assumptions 12 | 13 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 14 | 15 | 1) IPsec settings, such as phase1 proposal and PSK 16 | 17 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 18 | 19 | 3) The datacenter uses the local subnet 192.168.1.0/24. Adjust the "Datacenter-LAN" object to match your LAN subnet. -------------------------------------------------------------------------------- /4D-SDWAN/7.4/Dual hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN Dual Hub 2 | 3 | This directory contains configuration to enable SD-WAN for two Hubs and two spokes. Additionally, extensions to SD-WAN are included to optinally enhance your SD-WAN deployment. 4 | 5 | In addition to the configuration files, there are topology diagrams provided in .png format, and .drawio format should you wish to edit or build upon the given topology. 6 | 7 | # Topology 8 | 9 | ### Underlay 10 | This diagram provides the physical ports used by the topologies, as well as some key IP addresses and networks. 11 | ![Dual hub branch underlay](./DH_SD_Underlay_74.png?raw=true "Underlay") 12 | 13 | ### IPsec Overlay 14 | This is the first step of the overlay to indicate the various IPSec VPN tunnels that are established over the underlay. The diagram associates the tunnel paths with the naming convention. 15 | ![Dual hub branch overlay IPsec](./DH_SD_IPSec_74.png?raw=true "IPsec Overlay") 16 | 17 | ### BGP Overlay 18 | This topology builds on the IPSec overlay topology to indicate how BGP settings on the hub and branch devices are selected. 19 | ![Dual hub branch overlay BGP](./DH_SD_bgp_74.png?raw=true "BGP Overlay") 20 | -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/Branches/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing 7.6 - Branches 2 | 3 | This configuration is for branches connecting back to dual hubs to access internal resources. There are three local internet breakout rules to steer important traffic over the best link as well as non-critical out the less preferred link. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.6.99/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | # Assumptions 8 | 9 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 10 | 11 | 1) No security configuration is provided and must be considered for any implementation. 12 | 13 | 2) IPsec settings, such as phase1 proposal and PSK. 14 | 15 | 3) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections. 16 | 17 | 4) A health-check server is used to measure SLA. You should adjust this to better reflect your traffic of interest by defining your own performance SLA. Please see the [performance SLA](https://docs.fortinet.com/document/fortigate/7.6.99/administration-guide/584396/performance-sla) chapter of the FortiGate admin guide. 18 | 19 | 5) WAN2 is the less preferred link and should only be used if WAN1 does not meet SLA. 20 | This applies to the VPN connections overlaying each WAN link. If the health-check to the DC over WAN1-VPN1 fails to meet SLA, traffic may take WAN2-VPN1 to the DC. 21 | 22 | 6) HUB1 is the preferred HUB and should be used unless the VPN links to HUB1 are out of SLA. 23 | 24 | 7) The branches uses the local subnets 10.1.x.0/24, where x is the branch number. The "Branch-LAN" is a supernet that comprises all the branch LAN networks (10.1.0.0/16). 25 | 26 | 8) The WAN interfaces for branch devices are statically configured and will need to be adjusted to match your environment, along with default routes for each WAN interface. 27 | 28 | 9) BGP AS number is 65000 and the router ID is the loopback interface's ID: 172.16.0.x where x is unique to the branch. 29 | 30 | # Changes between branches 31 | 32 | 1) LAN subnet. 33 | 34 | 2) Loopback interface IP address. 35 | 36 | 3) BGP router ID (uses loopback address). 37 | 38 | 4) IPsec phase1-interface localid. -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/DH_SD_IPSec_76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.6/Dual hub/DH_SD_IPSec_76.png -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/DH_SD_Underlay_76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.6/Dual hub/DH_SD_Underlay_76.png -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/DH_SD_bgp_76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/4D-SDWAN/7.6/Dual hub/DH_SD_bgp_76.png -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/Hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN dual hub with VPN overlay and BGP routing 7.6 - HUBs 2 | 3 | This configuration is for dual hubs functioning as access points for datacenter resources. 4 | 5 | For more details on SD-WAN rules, please see the [SD-WAN rules](https://docs.fortinet.com/document/fortigate/7.6.99/administration-guide/716691/sd-wan-rules) chapter of the FortiGate admin guide. 6 | 7 | The datacenter's subnet of 192.168.1.0/24 is learned through an eBGP peering with 172.16.1.1, and 172.16.2.1 for Hub1 and Hub2 respectively. The eBGP route to 192.168.1.0/24 is automatically distributed among all iBGP neighbors in the same Autonomous System without any further configuration. 8 | 9 | Each Hub's BGP loopback (HUB1: 172.16.255.252/32, HUB2: 172.16.255.250) is installed as a static route on the branch devices once the VPN overlays are established. This is done via an IKE extension: set exchange-ip-addr4 $Hub-Lo. 10 | 11 | Hubs share the same IP address for their HUB_HC loopback interface to simplify branch health check configuration. 12 | 13 | HUBs utilize a blackhole static route for branch summary (10.1.0.0/16). This allows the hubs to advertise the branch summary via BGP to all the branches when combined with: 14 | 15 | config router bgp 16 | config network 17 | edit 10 18 | set prefix 10.1.0.0 255.255.0.0 19 | 20 | 21 | 22 | # Assumptions 23 | 24 | The following settings are specific to the demo and should be changed to fit your environment as necessary. 25 | 26 | 1) IPsec settings, such as phase1 proposal and PSK 27 | 28 | 2) port1 and port2 are used for WAN1 and WAN2 respectively. Replace them with the ports you use for your WAN connections, and update the address configuration to reflect your environment. 29 | 30 | 3) Default routes must be updated to reflect WAN1/2 interface addresses. 31 | 32 | 3) The datacenter uses the local subnet 192.168.1.0/24. Adjust the "Datacenter-LAN" object to match your LAN subnet. 33 | 34 | 4) If your branch subnets cannot be easily summarized, you can configure multiple network prefixes in bgp for each: 35 | See the [FortiGate Admin Guide](https://docs.fortinet.com/document/fortigate/7.6.99/administration-guide/63589/active-dynamic-bgp-neighbor-triggered-by-advpn-shortcut) for a complete example. 36 | 37 | 38 | config router bgp 39 | config network 40 | edit 10 41 | set prefix 10.1.1.0 255.255.255.0 42 | next 43 | edit 11 44 | set prefix 172.200.99.0 255.255.255.0 45 | end 46 | 47 | Alternatively, you can utilize default routes on the branch devices to direct traffic to the hubs. -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/Hub/dual_hub_HUB1_base_76.txt: -------------------------------------------------------------------------------- 1 | config system interface 2 | edit "port1" 3 | set vdom "root" 4 | set ip 10.198.5.2 255.255.255.248 5 | set allowaccess ping 6 | set alias "WAN1" 7 | set role wan 8 | next 9 | edit "port2" 10 | set vdom "root" 11 | set ip 10.198.6.2 255.255.255.248 12 | set allowaccess ping 13 | set alias "WAN2" 14 | set role wan 15 | next 16 | edit "port3" 17 | set vdom "root" 18 | set ip 172.16.1.2 255.255.255.252 19 | set allowaccess ping 20 | set alias "Internal" 21 | set role lan 22 | next 23 | edit "HUB-Lo" 24 | set vdom "root" 25 | set ip 172.16.255.251 255.255.255.255 26 | set allowaccess ping 27 | set type loopback 28 | next 29 | edit "BGP-Lo" 30 | set vdom "root" 31 | set ip 172.16.255.252 255.255.255.255 32 | set allowaccess ping 33 | set type loopback 34 | next 35 | edit "VPN1" 36 | set vdom "root" 37 | set type tunnel 38 | set interface "port1" 39 | next 40 | edit "VPN2" 41 | set vdom "root" 42 | set type tunnel 43 | set interface "port2" 44 | next 45 | end 46 | config firewall address 47 | edit "ACME_Loopback" 48 | set subnet 172.16.0.0 255.255.0.0 49 | next 50 | edit "Branch-LAN" 51 | set subnet 10.1.0.0 255.255.0.0 52 | next 53 | edit "Datacenter-LAN" 54 | set subnet 192.168.1.0 255.255.255.0 55 | next 56 | end 57 | config vpn ipsec phase1-interface 58 | edit "VPN1" 59 | set type dynamic 60 | set interface "port1" 61 | set ike-version 2 62 | set peertype any 63 | set net-device disable 64 | set exchange-ip-addr4 172.16.255.252 65 | set proposal aes256-sha256 66 | set add-route disable 67 | set dpd on-idle 68 | set auto-discovery-sender enable 69 | set network-overlay enable 70 | set network-id 1 71 | set transport auto 72 | set psksecret ***** 73 | set dpd-retrycount 2 74 | set dpd-retryinterval 2 75 | next 76 | edit "VPN2" 77 | set type dynamic 78 | set interface "port2" 79 | set ike-version 2 80 | set peertype any 81 | set net-device disable 82 | set exchange-ip-addr4 172.16.255.252 83 | set proposal aes256-sha256 84 | set add-route disable 85 | set dpd on-idle 86 | set auto-discovery-sender enable 87 | set network-overlay enable 88 | set network-id 2 89 | set transport auto 90 | set psksecret ***** 91 | set dpd-retrycount 2 92 | set dpd-retryinterval 2 93 | next 94 | end 95 | config vpn ipsec phase2-interface 96 | edit "VPN1" 97 | set phase1name "VPN1" 98 | set proposal aes256-sha256 99 | next 100 | edit "VPN2" 101 | set phase1name "VPN2" 102 | set proposal aes256-sha256 103 | next 104 | end 105 | config firewall policy 106 | edit 1 107 | set name "Branch to Datacenter" 108 | set srcintf "VPN1" "VPN2" 109 | set dstintf "port3" 110 | set action accept 111 | set srcaddr "Branch-LAN" 112 | set dstaddr "Datacenter-LAN" 113 | set dstaddr "Datacenter-LAN" 114 | set schedule "always" 115 | set service "ALL" 116 | set logtraffic all 117 | next 118 | edit 2 119 | set name "Datacenter to Branch" 120 | set srcintf "port3" 121 | set dstintf "VPN1" "VPN2" 122 | set action accept 123 | set srcaddr "Datacenter-LAN" 124 | set dstaddr "Branch-LAN" 125 | set schedule "always" 126 | set service "ALL" 127 | set logtraffic all 128 | next 129 | edit 3 130 | set name "Branch to Branch" 131 | set srcintf "VPN1" "VPN2" 132 | set dstintf "VPN1" "VPN2" 133 | set action accept 134 | set srcaddr "Branch-LAN" 135 | set dstaddr "Branch-LAN" 136 | set schedule "always" 137 | set service "ALL" 138 | set logtraffic all 139 | next 140 | edit 4 141 | set name "Health Check Access" 142 | set srcintf "VPN1" "VPN2" 143 | set dstintf "HUB-Lo" 144 | set action accept 145 | set srcaddr "ACME_Loopback" 146 | set dstaddr "ACME_Loopback" 147 | set schedule "always" 148 | set service "ALL" 149 | next 150 | edit 5 151 | set name "Peering" 152 | set srcintf "VPN1" "VPN2" 153 | set dstintf "BGP-Lo" 154 | set action accept 155 | set srcaddr "all" 156 | set dstaddr "all" 157 | set schedule "always" 158 | set service "PING" "BGP" 159 | next 160 | end 161 | config router route-map 162 | edit "LOCAL_REGION" 163 | config rule 164 | edit 1 165 | unset set-ip-prefsrc 166 | next 167 | end 168 | next 169 | end 170 | config router static 171 | edit 1 172 | set gateway 10.198.5.1 173 | set device "port1" 174 | next 175 | edit 2 176 | set gateway 10.198.6.1 177 | set device "port2" 178 | next 179 | edit 50 180 | set dst 10.1.0.0 255.255.0.0 181 | set blackhole enable 182 | set vrf 0 183 | next 184 | end 185 | config router bgp 186 | set as 65000 187 | set router-id 172.16.255.252 188 | set ebgp-multipath enable 189 | set ibgp-multipath enable 190 | set recursive-next-hop enable 191 | set recursive-inherit-priority enable 192 | set graceful-restart enable 193 | config neighbor 194 | edit "172.16.1.1" 195 | set remote-as 65100 196 | next 197 | end 198 | config neighbor-group 199 | edit "EDGE" 200 | set advertisement-interval 1 201 | set next-hop-self enable 202 | set soft-reconfiguration enable 203 | set interface "BGP-Lo" 204 | set remote-as 65000 205 | set update-source "BGP-Lo" 206 | next 207 | end 208 | config neighbor-range 209 | edit 1 210 | set prefix 172.16.0.0 255.255.0.0 211 | set neighbor-group "EDGE" 212 | next 213 | end 214 | config network 215 | edit 1 216 | set prefix 172.16.0.0 255.255.0.0 217 | set route-map "LOCAL_REGION" 218 | next 219 | edit 10 220 | set prefix 10.1.0.0 255.255.0.0 221 | next 222 | end 223 | config redistribute "connected" 224 | end 225 | config redistribute "rip" 226 | end 227 | config redistribute "ospf" 228 | end 229 | config redistribute "static" 230 | end 231 | config redistribute "isis" 232 | end 233 | config redistribute6 "connected" 234 | end 235 | config redistribute6 "rip" 236 | end 237 | config redistribute6 "ospf" 238 | end 239 | config redistribute6 "static" 240 | end 241 | config redistribute6 "isis" 242 | end 243 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/Hub/dual_hub_HUB2_base_76.txt: -------------------------------------------------------------------------------- 1 | config system interface 2 | edit "port1" 3 | set vdom "root" 4 | set ip 10.198.7.2 255.255.255.248 5 | set allowaccess ping 6 | set alias "WAN1" 7 | set role wan 8 | next 9 | edit "port2" 10 | set vdom "root" 11 | set ip 10.198.8.2 255.255.255.248 12 | set allowaccess ping 13 | set alias "WAN2" 14 | set role wan 15 | next 16 | edit "port3" 17 | set vdom "root" 18 | set ip 172.16.2.2 255.255.255.252 19 | set allowaccess ping 20 | set alias "Internal" 21 | set role lan 22 | next 23 | edit "HUB-Lo" 24 | set vdom "root" 25 | set ip 172.16.255.251 255.255.255.255 26 | set allowaccess ping 27 | set type loopback 28 | next 29 | edit "BGP-Lo" 30 | set vdom "root" 31 | set ip 172.16.255.250 255.255.255.255 32 | set allowaccess ping 33 | set type loopback 34 | next 35 | edit "VPN1" 36 | set vdom "root" 37 | set type tunnel 38 | set interface "port1" 39 | next 40 | edit "VPN2" 41 | set vdom "root" 42 | set type tunnel 43 | set interface "port2" 44 | next 45 | end 46 | config firewall address 47 | edit "ACME_Loopback" 48 | set subnet 172.16.0.0 255.255.0.0 49 | next 50 | edit "Branch-LAN" 51 | set subnet 10.1.0.0 255.255.0.0 52 | next 53 | edit "Datacenter-LAN" 54 | set subnet 192.168.1.0 255.255.255.0 55 | next 56 | end 57 | config vpn ipsec phase1-interface 58 | edit "VPN1" 59 | set type dynamic 60 | set interface "port1" 61 | set ike-version 2 62 | set peertype any 63 | set net-device disable 64 | set exchange-ip-addr4 172.16.255.250 65 | set proposal aes256-sha256 66 | set add-route disable 67 | set dpd on-idle 68 | set auto-discovery-sender enable 69 | set network-overlay enable 70 | set network-id 1 71 | set transport auto 72 | set psksecret ***** 73 | set dpd-retrycount 2 74 | set dpd-retryinterval 2 75 | next 76 | edit "VPN2" 77 | set type dynamic 78 | set interface "port2" 79 | set ike-version 2 80 | set peertype any 81 | set net-device disable 82 | set exchange-ip-addr4 172.16.255.250 83 | set proposal aes256-sha256 84 | set add-route disable 85 | set dpd on-idle 86 | set auto-discovery-sender enable 87 | set network-overlay enable 88 | set network-id 2 89 | set transport auto 90 | set psksecret ***** 91 | set dpd-retrycount 2 92 | set dpd-retryinterval 2 93 | next 94 | end 95 | config vpn ipsec phase2-interface 96 | edit "VPN1" 97 | set phase1name "VPN1" 98 | set proposal aes256-sha256 99 | next 100 | edit "VPN2" 101 | set phase1name "VPN2" 102 | set proposal aes256-sha256 103 | next 104 | end 105 | config firewall policy 106 | edit 1 107 | set name "Branch to Datacenter" 108 | set srcintf "VPN1" "VPN2" 109 | set dstintf "port3" 110 | set action accept 111 | set srcaddr "Branch-LAN" 112 | set dstaddr "Datacenter-LAN" 113 | set schedule "always" 114 | set service "ALL" 115 | set logtraffic all 116 | next 117 | edit 2 118 | set name "Datacenter to Branch" 119 | set srcintf "port3" 120 | set dstintf "VPN1" "VPN2" 121 | set action accept 122 | set srcaddr "Datacenter-LAN" 123 | set dstaddr "Branch-LAN" 124 | set schedule "always" 125 | set service "ALL" 126 | set logtraffic all 127 | next 128 | edit 3 129 | set name "Branch to Branch" 130 | set srcintf "VPN1" "VPN2" 131 | set dstintf "VPN1" "VPN2" 132 | set action accept 133 | set srcaddr "Branch-LAN" 134 | set dstaddr "Branch-LAN" 135 | set schedule "always" 136 | set service "ALL" 137 | set logtraffic all 138 | next 139 | edit 4 140 | set name "Health Check Access" 141 | set srcintf "VPN1" "VPN2" 142 | set dstintf "HUB-Lo" 143 | set action accept 144 | set srcaddr "ACME_Loopback" 145 | set dstaddr "ACME_Loopback" 146 | set schedule "always" 147 | set service "ALL" 148 | next 149 | edit 5 150 | set name "Peering" 151 | set srcintf "VPN1" "VPN2" 152 | set dstintf "BGP-Lo" 153 | set action accept 154 | set srcaddr "all" 155 | set dstaddr "all" 156 | set schedule "always" 157 | set service "PING" "BGP" 158 | next 159 | end 160 | config router route-map 161 | edit "LOCAL_REGION" 162 | config rule 163 | edit 1 164 | unset set-ip-prefsrc 165 | next 166 | end 167 | next 168 | end 169 | config router static 170 | edit 1 171 | set gateway 10.198.7.1 172 | set device "port1" 173 | next 174 | edit 2 175 | set gateway 10.198.8.1 176 | set device "port2" 177 | next 178 | edit 50 179 | set dst 10.1.0.0 255.255.0.0 180 | set blackhole enable 181 | set vrf 0 182 | next 183 | end 184 | config router bgp 185 | set as 65000 186 | set router-id 172.16.255.250 187 | set ebgp-multipath enable 188 | set ibgp-multipath enable 189 | set recursive-next-hop enable 190 | set recursive-inherit-priority enable 191 | set graceful-restart enable 192 | config neighbor 193 | edit "172.16.2.1" 194 | set remote-as 65100 195 | next 196 | end 197 | config neighbor-group 198 | edit "EDGE" 199 | set advertisement-interval 1 200 | set next-hop-self enable 201 | set soft-reconfiguration enable 202 | set interface "BGP-Lo" 203 | set remote-as 65000 204 | set update-source "BGP-Lo" 205 | next 206 | end 207 | config neighbor-range 208 | edit 1 209 | set prefix 172.16.0.0 255.255.0.0 210 | set neighbor-group "EDGE" 211 | next 212 | end 213 | config network 214 | edit 1 215 | set prefix 172.16.0.0 255.255.0.0 216 | set route-map "LOCAL_REGION" 217 | next 218 | edit 10 219 | set prefix 10.1.0.0 255.255.0.0 220 | next 221 | end 222 | config redistribute "connected" 223 | end 224 | config redistribute "rip" 225 | end 226 | config redistribute "ospf" 227 | end 228 | config redistribute "static" 229 | end 230 | config redistribute "isis" 231 | end 232 | config redistribute6 "connected" 233 | end 234 | config redistribute6 "rip" 235 | end 236 | config redistribute6 "ospf" 237 | end 238 | config redistribute6 "static" 239 | end 240 | config redistribute6 "isis" 241 | end 242 | end -------------------------------------------------------------------------------- /4D-SDWAN/7.6/Dual hub/README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN Dual Hub 2 | 3 | This directory contains configuration to enable SD-WAN for two Hubs and two spokes using Dynamic BGP on Loopback with ADVPN 2.0. 4 | 5 | In addition to the configuration files, there are topology diagrams provided in .png format, and .drawio format should you wish to edit or build upon the given topology. 6 | 7 | # Topology 8 | 9 | ### Underlay 10 | This diagram provides the physical ports used by the topologies, as well as some key IP addresses and networks. 11 | ![Dual hub branch underlay](./DH_SD_Underlay_76.png?raw=true "Underlay") 12 | 13 | ### IPsec Overlay 14 | This is the first step of the overlay to indicate the various IPSec VPN tunnels that are established over the underlay. The diagram associates the tunnel paths with the naming convention. 15 | ![Dual hub branch overlay IPsec](./DH_SD_IPSec_76.png?raw=true "IPsec Overlay") 16 | 17 | ### BGP Overlay 18 | This topology builds on the IPSec overlay topology to indicate how BGP settings on the hub and branch devices are selected. 19 | ![Dual hub branch overlay BGP](./DH_SD_bgp_76.png?raw=true "BGP Overlay") 20 | -------------------------------------------------------------------------------- /4D-Switching/README.md: -------------------------------------------------------------------------------- 1 | # LAN Edge demonstration configurations (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceding 3 Ds: Define, Design, and Deploy. The sample configurations can be used as a template to build your own LAN Edge solution, or used as reference during your deployment. 4 | 5 | It is recommended to first review the [LAN Edge Deployment Guide](https://docs.fortinet.com/document/fortiswitch/7.0.0/lan-edge-deployment-guide/397092/introduction) found in the [Switching 4-D Resource hub](https://docs.fortinet.com/4d-resources/Switching) before proceeding further. 6 | 7 | Additionally, head to the [Secure Access Solution Hub](https://docs.fortinet.com/secure-access) for more extensive links to documentation related to Switching and Wireless. 8 | 9 | # Overview 10 | 11 | The primary goal of the **LAN Edge** is to provide Security-Driven Networking by extending the Fortinet Security Fabric throughout the LAN, converging security and network access into an integrated platform. This is accomplished by integrating the FortiAP and FortiSwitch into FortiGate's management via the Wireless and Switch controller. 12 | 13 | The following topology illustrates an environment where multiple Fortinet products are deployed. 14 | 15 | Required: 16 | - FortiGate 7.0 and above 17 | - FortiSwitch ([*Compatible version*](https://docs.fortinet.com/document/fortiswitch/latest/fortilink-compatibility)) 18 | - FortiAP ([*Compatible version*](https://docs.fortinet.com/document/fortiap/latest/fortiap-and-fortios-compatibility-matrix/495193/)) 19 | 20 | ## Topology 21 | ![LAN Edge Demo Topology](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/b8d79243-885d-11ec-9fd1-fa163e15d75b/images/c52adce07500f12ad7514dd269982a79_LANedgeExample.png "LAN Edge Demo Topology") 22 | 23 | # How to 24 | The sample configuration is based in large part on the example provided in the [LAN Edge Deployment Guide](https://docs.fortinet.com/document/fortiswitch/7.0.0/lan-edge-deployment-guide/397092/introduction). You can follow the [deployment procedures](https://docs.fortinet.com/document/fortiswitch/7.0.0/lan-edge-deployment-guide/720231/deployment-procedures) step by step to configure a LAN Edge in your environment, or you can use the configuration snippets in the sample configuration to quickly launch your environment. 25 | 26 | Download the sample configuration [LAN-Edge-demo-config.txt](./LAN-Edge-demo-config.txt). Examine the file and adapt the settings to your environment. 27 | 28 | - This sample file is split into the multiple sections. Each section contains command line settings and debugs. 29 | - The configuration snippets correspond to IP addressing in the topology diagram above. Modify names, addresses, ports and other references to fit your environment 30 | - The configuration snippets can be directly copied and pasted into the FortiGate CLI 31 | - Use the command line debug commands to verify and confirm your deployment 32 | 33 | The following summarizes the goal of each section. 34 | 35 | ### 1. Configure FortiLink and authorize the FortiSwitch unit 36 | - (*Optional*) If your Desktop model FortiGate does not have dedicated FortiLink ports, remove two of the LAN ports from the LAN interface to be used in the FortiLink interface 37 | - Configure two interfaces to be the dedicated FortiLink aggregate interface 38 | - Physically connect the FortiSwitch to the FortiGate. Verify the FortiSwitch is automatically authorized 39 | 40 | ### 2. Create VLANs and firewall policies for wired devices 41 | - Create two internal VLANs,VLAN100 and VLAN200, both with Internet access and routing between them allowed 42 | - Internal VLANs can be used for different departments, different types of devices or other use cases defined by the customer 43 | - More VLANs can also be added in this step 44 | 45 | ### 3. Set up NAC and create NAC policies 46 | - When FortiLink is configured, NAC VLANs are created according to the switch-controller.initial-config.template settings 47 | - These VLANs are automatically created: *onboarding, nac_segment, video, voice, rspan and quarantine* 48 | - By default, onboarding is configured as the onboarding VLAN 49 | - NAC policies can be configured to automatically segment devices into separate VLANs based on device type, family, OS, MAC address mask, etc... 50 | - In this example, devices in the onboarding VLAN do not get any network access 51 | - Access is allowed once NAC policies place devices into either *VLAN100* or *VLAN200* 52 | - One use case may place all user devices on *VLAN100*, and other IoT devices on *VLAN200*. Another use case may place user and IoT devices in *VLAN100*, and servers on *VLAN200* 53 | - Our example demonstrates a NAC policy which matches a device by MAC address and assigns it to *VLAN100* 54 | 55 | ### 4. Assign FortiSwitch ports to Static VLANs and NAC 56 | - FortiSwitch ports can function in static mode, port policy mode or NAC mode. 57 | - Our topology puts port2 in NAC mode, port3 and port4 in static mode with VLAN100 and port5 and port6 in static mode with VLAN200 58 | 59 | ### 5. Deploy WiFi 60 | - Prepare an AP VLAN (*VLAN-AP*) to create security isolation between the AP management (control channel) and user traffic (data channel) 61 | - Assign the VLAN-AP to a FortiSwitch port 62 | - Connect the FortiAP to the FortiSwitch 63 | - Create an SSID in tunnel mode 64 | - Configure a firewall policy to allow access 65 | 66 | # Disclaimers 67 | 68 | These configurations are for basic LAN Edge deployment on the primary components of the solution, based on *FortiOS 7.0.3*, *FortiSwitch 6.4.4* and *FortiAP 6.4.4*. While configurations will be compatible with newer builds, extra caution should be taken when installing these settings on earlier builds. Review the [FortiLink compatibility matrix](https://docs.fortinet.com/document/fortiswitch/latest/fortilink-compatibility "FortiLink Compatibility") and [FortiAP compatibility matrix](https://docs.fortinet.com/document/fortiap/latest/fortiap-and-fortios-compatibility-matrix/495193/ "FortiAP compatibility") for more information. 69 | 70 | Further design considerations should be taken by reviewing the [LAN Edge Deployment Guide](https://docs.fortinet.com/document/fortiswitch/7.0.0/lan-edge-deployment-guide/823484/design-overview "Design overview"). Design decisions may include: 71 | 72 | - FortiGate/FortiSwitch/FortiAP Sizing 73 | - How many endpoint devices require wired and wireless access? 74 | - What model and how many devices to deploy? 75 | - LAN segmentation 76 | - How many VLANs are needed? 77 | - How to group devices into VLANs? By department? By device type? 78 | - When to use static mode vs NAC mode 79 | - Are inter-VLAN access allowed? 80 | - Access levels for onboarding VLAN vs traffic VLANs 81 | - Is port authentication needed? 82 | - WiFi connectivity 83 | - Tunnel mode vs Bridge mode 84 | - Wireless mode and channel planning 85 | - Authentication method - WPA2-Personal, WPA2-Enteprise, WPA3-Personal, WPA3-Enterprise 86 | - Guest access 87 | 88 | Please consult further documentation available from the [Secure Access Solution Hub](https://docs.fortinet.com/secure-access) for reference. 89 | -------------------------------------------------------------------------------- /4D-ZTNA/README.md: -------------------------------------------------------------------------------- 1 | # ZTNA demonstration configurations (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceding 3 Ds: Define, Design, and Deploy. The sample configurations can be used as a template to build your own ZTNA solution, or used as reference during your deployment. 4 | 5 | It is recommended to first review the [ZTNA Architecture Guide](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-architecture/800134/introduction) and [ZTNA Deployment Guide](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/813800/introduction) found in the [ZTNA 4-D Resource hub](https://docs.fortinet.com/4d-resources/ZTNA) before proceeding further. 6 | 7 | Additionally, head to the [ZTNA Solution Hub](https://docs.fortinet.com/ztna) for more extensive links to documentation related to ZTNA. 8 | 9 | # Overview 10 | 11 | The primary goal of **Zero Trust Network Access (ZTNA)** is to allow an organization to provide remote access to protected resources while granting user access based on the authenticity of the client, their security posture and user authentication. This is accomplished by synchronizing information about the endpoints between the FortiClient, FortiClient EMS and the FortiGate. 12 | 13 | The following topology illustrates an environment where multiple Fortinet products are deployed. 14 | 15 | Required: 16 | - FortiClient 7.0 and above 17 | - FortiClient EMS 7.0 and above 18 | - FortiGate 7.0 and above 19 | 20 | Optional: 21 | - FortiAnalyzer 22 | - FortiAuthenticator 23 | 24 | While FortiAnalyzer and FortiAuthenticator are optional, these devices are recommended in larger deployments where centralized logging, monitoring, reporting and authentication is desired. 25 | 26 | ## Topology 27 | ![ZTNA Demo Topology](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/8ddfc8d2-9b21-11ec-9fd1-fa163e15d75b/images/49d98988a19e8978bb0553e80a3c331d_deployment_topo.png "ZTNA Demo Topology") 28 | 29 | # How to 30 | The sample configuration is based in large part on the example provided in the [ZTNA Deployment Guide](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/813800/introduction). You can follow the [deployment procedures](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/260520/deployment-procedures) step by step to configure ZTNA in your environment, or you can use the configuration snippets in the sample configuration to quickly launch your environment. 31 | 32 | Download the sample configuration [ZTNA-demo-config.txt](./ZTNA-demo-config.txt). Examine the file and adapt the settings to your environment. 33 | 34 | - This sample file is split into the multiple sections. Each section contains command line settings and debugs. 35 | - The configuration snippets correspond to IP addressing in the topology diagram above. Modify names, addresses, ports and other references to fit your environment 36 | - The configuration snippets can be directly copied and pasted into the FortiGate CLI 37 | - Use the command line debug commands to verify and confirm your deployment 38 | - Configurations for FortiClient EMS must be done in the GUI 39 | 40 | The following summarizes the goal of each section. 41 | 42 | ### 1. Configuring FortiClient EMS Fabric connector 43 | - Establish a connection between the FortiGate and FortiClient EMS 44 | - Verify the connection 45 | 46 | ### 2. Verify Tags are synchronized 47 | - On the FortiClient EMS, configure ZTNA Tags and Rules per the instructions on [Configuring FortiClient EMS tags and rules](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/16635/configuring-forticlient-ems-tags-and-rules) 48 | - Verify the tags are synchronized to the FortiGate 49 | 50 | ### 3. Configure a ZTNA Server to map to web servers using HTTPS access proxy 51 | - Define the VIP and HTTPS access proxy server settings 52 | - Map services to Webserver1 and Webserver2 53 | 54 | ### 4. Configure a ZTNA TCP forwarding access proxy for RDP and SSH 55 | - Define another VIP and TCP forwarding access proxy server settings 56 | - Map services to the EMS server and the FortiAnalyzer 57 | 58 | ### 5. Configure the Authentication Scheme and Policy for user authentication 59 | - Define the LDAP server connection to the Windows server. In this example, it is also configured as the EMS server 60 | - Define the user group and directory that is allowed access 61 | - Define the authentication method and the devices that the authentication scheme should apply to 62 | 63 | ### 6. Configure ZTNA Rules to control access 64 | - Define the actual ZTNA rules to allow and deny access based on user authentication and security postures 65 | 66 | ### 7. Configure ZTNA Connection Rules on FortiClient EMS for any TCP Forwarding Access Proxy traffic 67 | - Define the ZTNA connection rules that will be pushed to each FortiClient endpoint. These rules are used for accessing services mapped by the TCP Forwarding access proxy 68 | 69 | ### 8. Connecting to ZTNA access proxy 70 | - Once a client endpoint registers and connects to the ZTNA access proxy, verify connectivity using various debugs and logs 71 | 72 | # Disclaimers 73 | 74 | These configurations are for basic ZTNA deployment on the primary components of the solution, based on *FortiOS 7.0.5* and *FortiClient EMS 7.0.2*. While configurations will be compatible with newer builds, extra caution should be taken when installing these settings on earlier builds. 75 | 76 | Further design considerations should be taken by reviewing the [ZTNA Architecture Guide](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-architecture/800134/introduction) and [ZTNA Deployment Guide](https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/813800/introduction). Design decisions may include: 77 | 78 | - How the FortiClient EMS is exposed for registration from local and remote FortiClient endpoints 79 | - How the FortiClient software should be installed on the endpoint devices 80 | - Which services to expose via HTTPS access proxy and which services to expose via TCP forwarding access proxy 81 | - What authentication method should be used 82 | - Which users/user groups are granted access to which resources 83 | - IP addressing for public and private resources 84 | - Migration plan from using VPN based teleworking to ZTNA based remote access 85 | 86 | Please consult further documentation available from the [ZTNA solution hub](https://docs.fortinet.com/ztna) for reference. 87 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright 2021 Fortinet Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SD-WAN demonstration configurations (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceeding 3 Ds: Define, Design, and Deploy. Demo configurations are provided for: 4 | 5 | - [SD-WAN](https://github.com/fortinet/4D-Demo/tree/main/4D-SDWAN) 6 | - [Switching](https://github.com/fortinet/4D-Demo/tree/main/4D-Switching) 7 | - Wireless (Coming) 8 | - [ZTNA](https://github.com/fortinet/4D-Demo/tree/main/4D-ZTNA) 9 | - [SD-Branch](https://github.com/fortinet/4D-Demo/tree/main/SD-Branch) 10 | - [NGFW](https://github.com/fortinet/4D-Demo/tree/main/4D-NGFW) 11 | 12 | # Overview 13 | 14 | The configurations provided are example configurations to demonstrate some of the functionality of the given feature. The configurations are not exhaustive, and may need to be changed to meet your business' requirement. The intention of these configurations are to provide a reference for implementation. 15 | 16 | # How to 17 | 18 | Review the readme file for the topic, as implementation of the configuration may be different. Each configuration will also require changes to match your deployment or environment. 19 | 20 | Note that the configurations provided are intended to highlight that particular feature or topic and do not include the necessary configuration to completely secure your business. 21 | -------------------------------------------------------------------------------- /SD-Branch/README.md: -------------------------------------------------------------------------------- 1 | # SD-Branch demonstration configuration (4-D) 2 | 3 | 4-D Demo configurations are a collection of configurations which complement the preceeding 3 Ds: Define, Design, and Deploy. This configration is an example of what a SD-Branch implementations might look like. 4 | 5 | For further details on SD-Branch features and deployment methods, such as using FortiManager to manage your configuration and deployment, please see the [SD-WAN section](https://docs.fortinet.com/sdwan/7.0) of our document library. 6 | 7 | # Overview 8 | This directory contains configuration to enable SD-WAN and configure a switch and AP to be used for branch LAN access. This configuration compliments the [SD-Branch deployment guide](https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-sd-branch-deployment-guide/643203/introduction). 9 | 10 | # Topology 11 | ![SD-Branch](./SD-Branch_Deployment_Guide_topology_intro.png?raw=true "SD-Branch") 12 | 13 | # How to 14 | Review the assumptions section and make the necessary changes to the configuration to match your deployment. 15 | 16 | Install the updated configuration file to your branch. 17 | 18 | You will need to configure 2 IPSec tunnels on your HUB(s) to match the branch configuration. 19 | 20 | # Assumptions 21 | The following configuration requires edits to fit your environment. These include, but are not limited to: 22 | 23 | - The WAN ports used are defined as "wan1" and "wan2". 24 | - They are configured to use DHCP. 25 | - FortiLink ports are "a" and "b". 26 | - FortiLink uses a network of 11.255.1.0/24. 27 | - AP management network of 10.190.190.0/24. 28 | - Passphrase for Guest_WIFI and Staff_WIFI is set to "fortinet". 29 | - Guest WIFI network is 10.111.0.1/24. 30 | - Both IPSec tunnels use the psk of "fortinet". 31 | - The managed switch serial number will need to be adjusted to match your switch. 32 | - Switchports may need to be adjusted if the model is different. 33 | - Switchport VLANs may need to be changed to suit your needs. 34 | - The managed AP serial number will need to be adjusted to match your AP. 35 | 36 | # Disclaimers 37 | 38 | These configurations are for SD-Branch and related aspects, such as policies, address objects, BGP, IPsec. This configuration alone does not provide sufficient security for a given location. Please review [FortiGate Best Practices](https://docs.fortinet.com/document/fortigate/7.0.0/best-practices/587898/getting-started) and [FortiGate Admin Guide](https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/954635/getting-started) to compliment this deployment. 39 | 40 | Underlay routing is assumed to be present. No consideration is given for branch internet reachability. It is assumed that the branch has full internet connectivity and public IP addresses. -------------------------------------------------------------------------------- /SD-Branch/SD-Branch_Deployment_Guide_topology_intro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortinet/4D-Demo/671b839b9931aa8ccd5930bbb5bdf7f5e8f89e70/SD-Branch/SD-Branch_Deployment_Guide_topology_intro.png --------------------------------------------------------------------------------