Lab Guide

Index: 1.
0
Use Case: Introduction
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fast Track Workshops:

Constructing a Secure SD-WAN Architecture Lab
In this Fast Track, you implement SD-WAN via FortiManager using the SD-WAN Overlay
Templates. You will also implement a standalone SD-WAN directly at the FortiOS. This second
use-case is for companies that do not have FortiManager.
Index: 1.0 (a)
Objective Title: Fast Track Workshop
Points: 0
Objective Text:
Fast Tracks are a free instructor-led hands-on workshop that introduce Fortinet solutions for
securing your digital infrastructure. These workshops are only an introduction to what Fortinet
security solutions can do for your organization.
For more in-depth training, we encourage you to investigate our full portfolio of NSE training
courses at https://training.fortinet.com.
Index: 1.0 (b)
Objective Title: Topology
Points: 0
Objective Text:
Network Topology
The lab environment represents a fictional company, AcmeCorp. It has a headquarters (HQ)
data center and two branch offices (Branch 1 and Branch 2). Previously, AcmeCorp backhauled
all the internet traffic from the branch offices to HQ for processing. Now, due to the use of
cloud-based solutions increasing and leased lines becoming more expensive, AcmeCorp is
deploying FortiGate devices at the branch offices to allow direct connectivity to the internet, as
well as using internet service provider (ISP) links to augment the multiprotocol label switching
(MPLS) leased line to HQ.
A FortiManager and a FortiVoice appliance are installed in the HQ Data Center. The Fortifone
software is also installed on all of the workstations.
Index: 1.0 (c)
Objective Title: Agenda
Points: 0
Objective Text:
Agenda
Topic Time
Lab 1 Introduction – Topology and Agenda 2 Minutes
Lab 2 Configuring SD-WAN via FortiManager Overlay Templates 30 Minutes
Lab 3 Configuring a Standalone SD-WAN 30 Minutes
Index: 2.0
Use Case: SD-WAN Overlay Templates
Objective Title: New Objective
Points: 0
Objective Text:
SD-WAN Overlay Template

Most SD-WAN deployments require complex overlay configurations for datacenter or cloud
connectivity. FortiManager 7.2.0 includes an SD-WAN overlay template with a wizard to
automate and simplify the process using Fortinet's recommended IPsec and BGP templates.
In this exercise, you deploy SD-WAN to the branch devices using the SD-WAN Overlay
Template.
Time to Complete: 20 minutes

Index: 2.0 (a)
Objective Title: Create New Overlay Tempate
Points: 25
Objective Text:
Background
As stated above, starting with FortiManager 7.2.0, an SD-WAN overlay template was added
which includes a wizard to automate and simplify the process of deploying SD-WAN to multiple
devices.
The Overlay Template wizard is used to collect information with which FortiManager will create
other provisioning templates. It is these other templates that will actually be deployed to the
end devices, not the overlay template itself.
Tasks
For this objective, we will be working on the FortiManager. From the Lab Activity tab, click
FortiManager in the side bar lab menu, then select HTTPS to connect to the FortiManager.
Log in using the following credentials:
Username: admin Password: Fortinet1!
Review current templates
Before you create a new Overlay template, first review the current state of the provisioning
templates.
1. In the left pane, expand Device Manager, and select Provisioning Templates
2. Click on each of the following template categories, and note that there is either no
template or only default templates exist.
 Template Groups
 IPsec Tunnel Templates
 SD-WAN Templates
 BGP Templates
Create new Overlay Template
1. Click SD-WAN Overlay, then click Create New

2. Enter Acmecorp_Overlay in the name field.
3. Leave the topology at Single HUB.

7. Click Next.
8. Select FGT-HQ from the Standalone HUB dropdown menu.

9. Select Acmecorp_branches from the Device Group Assignment dropdown menu.
10. Click Next.
11. For the Standalone HUB:

a. For the WAN Underlay 1, Enter port6
b. For the WAN Underlay 2, Enter port8 and check the Private Link
In the HUB section above, because there is only one hub, we referenced the underlay
interfaces directly. However, since we are potentially dealing with multiple branch offices,
and it is very likely that not all of the FortiGates use the same ports to connect to the MPLS
and ISP lines, we will use MetaData Variables to identify the ports.
12. For the Device Branch Group:

c. For the WAN Underlay 1, Enter ‘$’ then select (ISP1_int) from the list
d. For the WAN Underlay 2, Enter ‘$’ then select (MPLS_int) from the list and check
the Private Link
Note: Selecting Private Link tells Fortimanager to make that interface available as a
member interface in the SD-WAN template, but not to create an IPsec overlay on that
interface.
13. Click Next
14. Enable Add Overlay Objects to SD-WAN Template.
Note: because there are no SD-WAN templates yet, you will need to create one.
15. Click the ‘+’ button to the right to add a new SD-WAN template
16. In the Create new SD-WAN Template window, enter Acmecorp_SD-WAN_Template in

the name field.
17. Leave all other setting as default, and Click OK.
Note: you will edit the SD-WAN template at a later step.
18. Enable Add Overlay Interfaces and Zones.

19. Leave the Healthcheck and Normalize Interfaces options disabled.
20. Click Next

21. Review the settings and click Finish.
Index: 2.0 (b)
Objective Title: Inspect Autocreated Templates
Points: 0
Objective Text:
Background
FortiManager used the information you provided in the SD-WAN Overlay Template and created
several other templates automatically.
Tasks
In this objective you inspect these auto-created templates.
Examine Auto-created templates
1. Expand Provisioning Templates in the left pane.

2. Click on each of the following template categories, and note the templates that
FortiManager has created for you
 Template Groups
 IPsec Tunnel Templates
 SD-WAN Templates
 BGP Templates
The Auto-created templates will be named based on the name provided for the Overlay
template. Note also that there are templates for the HUB devices and a separate set of
templates for the branch devices.
The templates are then grouped in the Template Group section for ease of deployment.
Index: 2.0 (c)
Objective Title: Edit SD-WAN Template
Points: 50
Objective Text:
Background
The only information provided to the SD-WAN Overlay Template was on what interfaces to
include and the IPsec tunnels that it would create. It was not provided with any gateway
information, or what rules to follow.
Tasks
In the objective you edit the SD-WAN template created during the SD-WAN Overlay Template
configuration to include the information that was not provided at that time.
Use the following steps to edit the SD-WAN Template.
Interface Members
1. Select the SD-WAN templates tab.

2. Select the Acmecorp_SD-WAN_Template and click Edit.
3. In the Interface Members section, under WAN1 select $(ISP1_int) and click Edit
4. Enter ‘$’ in the Gateway IP field, then select (ISP1_gw) from the list.
5. Click OK.
6. Under WAN2, select and edit $(MPLS_int) and add (MPLS_gw) to the Gateway IP field.
7. Click OK.
8. Edit HUB1-VPN1, and add set the cost value to 10.
9. Click OK.
Performance SLA
1. In the Performance SLA section, since we are not going to use any of the default SLAs in this
exercise, delete all of them to clean things up.
2. Click Create New.
3. Set Name to HQ_SLA.
4. Leave the detect Protocol set to PING.
5. Enter 10.10.30.2 in the Server field
6. For Participants, select Specify, and add both $(MPLS_int) and HUB1-VPN1 as members.
7. Click OK.
8. Click Add Target.
9. Enter 15 for each threshold.
10. Click OK to save the SLA settings.
SD-WAN Rule for Traffic between Branch Offices
1. Click Create New in the SD-WAN Rules section.

2. Set Name as Branch_to_Branch.
3. Set Source Address to Branch_Networks.
4. Set Destination Address to Branch_Networks.
5. Set Outgoing Interface Strategy to Manual.
6. For Interface Preference, select HUB1-VPN1.
7. Click OK to complete the rule.
SD-WAN Rule for HQ Traffic
This rule will guide all traffic intended for the main office (FG-HQ) through the MPLS link, while
using the VPN for backup in the event the MPLS link goes down.

2. Set Name as HQ_Traffic.
3. Set Source Address to all.
4. Set Destination Address to HQ_Networks.
5. Set Outgoing Interface Strategy to Lowest Cost (SLA).
6. For Interface Preference, select $(MPLS_int) and HUB1-VPN1. (in that order. This is
only to help demonstrate how the lowest cost option works)
7. Set Required SLA Target to HQ_SLA#1.

Note: When the strategy option is set to Lowest Cost (SLA), the system will evaluate the
interfaces listed in the Interface Preference section. If all the interfaces satisfy the SLA (or
none of the links satisfy the SLA), the link with the lowest cost will be selected. If the
interfaces have the same cost value, then the interface will be selected based on the
preferred order, even if that link is technically not the best quality link.
For the purposes of this lab, make sure that HUB1-VPN1 is displayed above the $(MPLS_int)
interface. This will help show how the Lowest Cost strategy works.

SD-WAN Rule for Internet Traffic
This rule will direct any traffic not intended for HQ to the ISP_1 interface, allowing direct
internet access.
1. Click Create New again in the SD-WAN Rules section.

2. Set Name as Internet.
3. Set Source Address and Destination Address to all.
Note: You can create rules for specific applications or internet services (for example,
Microsoft Office 365, Salesforce, Microsoft Teams, Amazon, or Dropbox) but for the
purposes of this lab, we will simply set the destination to ‘all’

5. For Interface Preference, select $(ISP1_int).
6. Click OK.
7. Click OK again to complete the SD-WAN template.
Index: 2.0 (d)
Objective Title: Push configurations to devices
Points: 10
Objective Text:
Background
Now that you have configured the SD-WAN templates, you can use the Install Wizard to push the
template to the FortiGate devices.
Task
Your goal for this objective is to install the SD-WAN templates on the FortiGate devices.
Push the configurations to Devices

1. Click Install Wizard.
2. When the wizard opens, confirm that Install Device Settings (only) is selected and click
Next.
3. Confirm that all three FortiGates are selected and click Next.
4. When prompted, click Install.
5. When the installation is finished, click Finish.
Index: 2.0 (e)
Objective Title: Edit Static Routes
Points: 15
Objective Text:
Background
Now that you have the basic SD-WAN configurations done and installed on the devices, you still
need to alter the default route to use the SD-WAN virtual interface on the two branch FortiGate
devices.
Tasks
In this exercise, you edit the default route on the branch devices to use the SD-WAN virtual
interface as the egress interface.
Edit the Default Route
1. Navigate to Device Manager > Devices & Groups.

2. Select FGT-BR1 from the center pane.
3. Select Static routes from the Network drop down menu.
4. Select the default route Destination: 0.0.0.0/0.0.0.0, Gateway:10.100.0.101

, port5(MPLS) and click Edit.
5. Change Interface option to WAN1, WAN2, and HUB1.

6. Click OK, and click OK again to save the static route.
7. Select FGT-BR2 and repeat steps 4 through 6 to edit its default route to use WAN1, WAN2,
and HUB1.
8. Select FGT-HQ and Create New > Static Route.

9. Select VPN1 in the Interface field.
10. Set Administrative Distance to 250.
11. Click OK.
Push Policies
1. Click Install Wizard.
2. When the wizard opens, confirm Install Device Settings (only) is selected and click Next.
3. Confirm that all three FortiGates are selected and click Next.
4. When prompted, click Install.
5. When the installation is finished, click Finish.
Index: 2.0 (f)
Objective Title: Examining the Configurations
Points: 0
Objective Text:
Examining the Configurations

Task
In this objective, you will have a look at the settings that FortiManager pushed out to the FortiGates.
Verify configurations pushed to FGT-BR1

1. Return to Lab Activity tab, click on FGT-BR1 on the sidebar menu, and select the HTTPS
option.
2. You are presented with a warning that this FortiGate is managed by FortiManager. Select
Login Read-Only.
3.Click Dashboard > Network. Notice that the IPsec widget lists the HUB1-VPN1 tunnel and
there are 12 routes in the Routing widget.
4. Click on the Routing widget to inspect the routes.
SD-WAN settings
1. Click Network > SD-WAN.
2. Expand the zones to display the member interfaces.
3. Click the SD-WAN Rules tab

4. Review the three rules that you created.
NOTE: The checkmark next to the interface member indicates which interface the rule is
currently favoring to pass traffic through. In the above screenshot, note that any traffic
destined to HQ will use the MPLS lines, even though the HQVPN_0 member interface is
first in the list. This is because we gave the HQVPN member a higher cost than the MPLS
interface member. As long as the MPLS member satisfies the SLA, it will be the preferred
interface. The HQVPN_0 is only used as backup for this traffic.
Generate traffic
1. Return to the Lab Activity tab and click on Bob (in Finance), then select the RDP option
to access Bob’s workstation.
2. Open FortiFone .
3. Likewise, click on Carol (under the Branch 1 section) then select RDP to access her
workstation.
4. Open Terminal and ping 172.16.100.135.

5. After a few pings, press Ctrl C and then ping 8.8.8.8.
6. Open FortiFone .
7. Dial 5051 and click the green phone button.

8. Return to the browser tab for Bob’s workstation.
9. Click on the green phone icon to answer the phone.
10. Return to FGT-BR1 and Click Dashboard > FortiView Sessions.

11. Right-click one of the column headings.
12. Deselect the following to clean things up:
Device
Source Port
Destination Port
Bytes
Packets
Duration
NPU Accelerated
13. Select Destination Interface and Source Interface.
14. Click Apply.
15. Notice that the ping (ICMP) to 172.16.100.135 and the softphone (both traffic going
back to the HQ ) are directed through the MPLS interface, and the ping to 8.8.8.8 (internet)
is going out the local internet breakout.
Note: Other applications on the Ubuntu device may also be generating internet traffic.
When you click Continue on the FortiFIED app, the MPLS network will be disabled to simulate a
failure and cause the SD-WAN rule to fail over to the other link.
Index: 2.0 (g)
Objective Title: Verify Failover
Points: 0
Objective Text:
Verify the Failover
Background
A failure in the MPLS line was simulated in order to see the SD-WAN automatically failover to
the HQVPN_1 interface, which in this scenario, was acting as the backup to the MPLS lines
Task
1. Return to the FGT-BR1 browser tab.
2. Click Network > SD-WAN > SD-WAN Rules.
3. Confirm that the rules are now directing traffic to HQ via the HQVPN_0 tunnel.
Note: you may have to refresh the page
4. Return to Carol’s Workstation tab.

6. After a few pings, press Ctrl C and now ping 8.8.8.8.
7. Notice that the softphone is still connected.
8. Return to FGT-BR1 browser tab
9. Click Dashboard > FortiView Sessions.
10. Refresh the page. ( button at top right)

Note: You may need to reset the column headings.
11. Now traffic to HQ is going through the HUB1-VPN1 tunnel.
When you click Continue on the FortiFIED app, the MPLS network will be re-enabled and cause
the SD-WAN rule to once again favor the MPLS link.
Index: 2.0 (h)
Objective Title: Verify the Return to MPLS
Points: 0
Objective Text:
Background
In the previous objective, a failure in the MPLS line was simulated in order to see the SD-WAN
automatically failover to the HQVPN_1 interface, which in this scenario, was acting as the
backup to the MPLS lines. The MPLS link has now been fixed, and the SD-WAN rule will once
again favor the MPLS link
Task
Note: that the rule still favors the HUB1-VPN1 link.
3. Click the Performance SLAs tab.

As you can see in the screenshot above, the MPLS link doesn’t yet meet the SLA thresholds.
4. Refresh the browser page every few seconds until the MPLS link meets the SLA
requirements.
5. Return to the SD-WAN Rules tab.
Note that the MPLS link is now the favored link again.
Index: 3.0
Use Case: Standalone SD-WAN via FortiOS
Objective Title: Standalone SD-WAN via FortiOS
Points: 0
Objective Text:
Standalone SD-WAN via FortiOS
In this scenario, AcmeCorp is a small company with a few offices, and they want to use SD-WAN
at their branches. However, they don't have a FortiManager. Currently, all internet traffic from
the branches is backhauled through HQ using an MPLS leased line for processing.
AcmeCorp wants to use FortiGate devices at the branches to implement SD-WAN. This will
reduce traffic on the MPLS leased line, provide a backup for it, and allow internet traffic to go
directly from the branch FortiGate.
You will be configuring an IPSec tunnel between the branch office and HQ, and set up SD-WAN
directly on the FortiOS device at the branch office. Additionally, you'll create an SD-WAN zone
to control local internet access.
Index: 3.0 (a)
Objective Title: SD-WAN and IPsec VPN Tunnels
Points: 25
Objective Text:
SD-WAN and IPsec VPN Tunnels
Background:
AcmeCorp is implementing Secure SD-WAN between HQ and the branch offices, to ensure that
important traffic, such as VoIP, uses the links that provide the best quality. This traffic is
secured by using IPsec tunnels as one of the SD-WAN interface members.
Basic connectivity between Branch 1 and HQ is already configured and the HQ administrator
has configured the IPsec VPN settings on the HQ FortiGate.
Task:
Your task is to configure SD-WAN on the Branch1 FortiGate directly on the FortiGate itself. You will
create a new SD-WAN Zone, and add three interfaces to SD-WAN, one of which will be an IPsec VPN
tunnel to secure any traffic between the branch office and HQ. Again, the HQ configurations have
already been done by the HQ administrator.
For this objective, you will be working on the Branch 1 FortiGate. From the Lab Activity tab, click
FGT-BR1 in the side bar lab menu, then select HTTPS to connect to the FortiGate.
You should be automatically Logged in, but if it doesn’t, using the following credentials:
Due to the fact that we are using the same environment for both use case, and the FortiGates
need to be managed by FortiManager in the Overlay Template exercise, you will get the
following pop-up.
Login with Read-Write access, and then click Yes to the next prompt. This will not affect the Lab
exercise in any way.
Use the following steps to configure the SD-WAN connections:
1. Navigate to Network > SD-WAN.
2. Create New > SD-WAN Zone
3. In the Name field, enter Internet_Breakout
4. Click OK.
5. Click Create New again, this time select SD-WAN Member.
6. click + VPN. From the Interface dropdown menu.

7. Use the Create IPsec VPN for SD-WAN members window and enter the following:
 Name: HQ_VPN1
 Remote IP Address: 100.65.0.101
 Outgoing Interface: ISP_1 Branch1 (port2)
 Pre-shared Key: Fortinet1!
8. Click Next.
9. Click Create
10. Click Close.

Note: The FortiGate OS will take you to the VPN > IPSec Tunnels page.
11. Return to Network > SD-WAN, select Creat New > Member again
12. Set the following:
 Select HQ_VPN1 from the Interface drop-down list.
 SD-WAN Zone: virtual-wan-link
 Gateway: 0.0.0.0
 Cost: 10
 Priority: 1
13. Click OK.
14. Click Create New > SD-WAN Member again to create the second SD-WAN member.
15. Enter the following settings :
 Interface: MPLS(Port5)
 SD-WAN Zone: virtual-wan-link
 Gateway: 10.100.0.101
 Cost: 0
 Priority: 1
16. Click OK.
17. To create the third SD-WAN member, click Create New > SD-WAN Member
18. Enter the following settings :
 Interface: ISP1 Branch1(port2)
 SD-WAN Zone: Internet Breakout
 Gateway: 100.65.1.254
 Cost: 0
 Priority: 1
19. Click OK.

Index: 3.0 (b)
Objective Title: Endpoint Addresses
Points: 15
Objective Text:
Background:
In the previous objective, you created a VPN tunnel for use in the SD-WAN, but it is not complete yet.
You still need to configure the tunnel endpoint addresses.
Task:
The goal of this objective is to go to Network > Interfaces and add the endpoint address to HQ_VPN1.
For HQ_VPN1, use 10.10.1.2 for the local IP and 10.10.1.1/32 for the remote IP.
Use the following steps to configure the endpoint addresses:
1. Click Network > Interfaces.
2. Expand the ISP 1 Branch 1 (port2) interface.
3. Edit HQ_VPN1.
4. In the Address section, set IP to 10.10.1.2 and Remote IP/Network Mask to 10.10.1.1/32.
5. Click OK.
Index: 3.0 (c)
Objective Title: Set a Static Route
Points: 15
Objective Text:
Background:
AcmeCorp wants all traffic that is meant for HQ networks to go through the SD-WAN virtual
interface.
Task:
In order to direct the traffic meant for HQ through the SD-WAN interfaces, you need to create a
static route using the SD-WAN zones as the outbound interfaces.
Use the following steps to create a static route:
1. Click Network > Static Routes.
2. Select and Edit the MPLS (port5) entry.
3. For the Interface, select both the Internet_Breakout and virtual-wan-link.
4. Leave the other settings at the default values.
5. Click OK
Index: 3.0 (d)
Objective Title: Performance SLA
Points: 20
Objective Text:
Background:
To verify the health and status of the links that make up the virtual SD-WAN link, you configure
a link health monitor, also known as a performance SLA.
Task:
The goal of this objective is to create a performance SLA (HQ_SLA) that validates the links
between this branch office and HQ, by pinging a system located in HQ.
When viewing the Performance SLA tab under Network > SD-WAN, if you select an SLA, the
graph at the top of the page displays the history of the performance of the Packet Loss,
Latency, and Jitter for each of the member interfaces participating in that SLA.
Clicking on Performance SLA updates the numbers shown for the SLA. The graph always shows
live data.
Use the following steps to create a performance SLA:
1. Click Network > SD-WAN
2. Select the Performance SLA tab.
3. Click Create New.

4. Use the following information to complete the form.
Name: HQ_SLA.
Probe mode: Active
Protocol: Ping.
Server: 10.10.30.2
Participants: Specify, HQ_VPN1 and MPLS
SLA Target: Enable
Latency Threshold: 50
Jitter threshold: 50
Packet Loss threshold: 10
Leave the other settings at the default values.

5. Click OK
Index: 3.0 (e)
Objective Title: SD-WAN Rules
Points: 25
Objective Text:
Background:
AcmeCorp wants to create SD-WAN rules, such that traffic going to the HQ datacenter over the
SD-WAN member that has the lowest latency, based on the status check created in the previous
task. Also, traffic meant for the internet will not be hauled back to HQ, but be allowed to access
the internet directly via the ISP of Branch 1.
Task:
In this objective, you create two SD-WAN rules. One will control traffic intended for HQ, and the
other rule will control traffic meant for the internet.
SD-WAN Rule for HQ Traffic
This rule will guide all traffic intended for the main office (FG-HQ) through the MPLS link, while
using the VPN for backup in the event the MPLS link goes down.

2. Set Name as HQ_Traffic.
3. Set Source Address to all.
4. Set Destination Address to HQ_Networks.
5. Set Outgoing Interface Strategy to Lowest Cost (SLA).
6. For Interface Preference, select HQ_VPN1 and MPLS(port5). (in that order. This is only
to help demonstrate how the lowest cost option works)
7. Set Required SLA Target to HQ_SLA#1.
Note: When the strategy option is set to Lowest Cost (SLA), the system will evaluate the
interfaces listed in the Interface Preference section. If all the interfaces satisfy the SLA (or
none of the links satisfy the SLA), the link with the lowest cost will be selected. If the
interfaces have the same cost value, then the interface will be selected based on the
preferred order, even if that link is technically not the best quality link.
For the purposes of this lab, make sure that HUB1-VPN1 is displayed above the MPLS(port5)
interface. This will help show how the Lowest Cost strategy works.

SD-WAN Rule for Internet Traffic
This rule will direct any traffic not intended for HQ to the ISP_1 interface, allowing direct
internet access.
1. Click Create New again in the SD-WAN Rules section.

2. Set Name as Internet.
3. Set Source Address and Destination Address to all.
Note: You can create rules for specific applications or internet services (for example,
Microsoft Office 365, Salesforce, Microsoft Teams, Amazon, or Dropbox) but for the
purposes of this lab, we will simply set the destination to ‘all’

5. For Interface Preference, select ISP 1 Branch 1(port2).
6. Click OK.
Note: It may take a moment or two for the system to stabilize.
Index: 3.0 (f)
Objective Title: Examining the Configurations
Points: 0
Objective Text:
Examining the Configurations

Task
In this objective, you will have a look at the results of the SD-WAN configuration, and also initiate some
traffic between Branch 1 and HQ.
Verify configurations on FGT-BR1
1.Click Dashboard > Network.

2.Notice that there are widgets for SD-WAN and IPsec. Click on each of them for more details.
3. Click on the Routing widget to inspect the routes.
SD-WAN settings
1. Click Network > SD-WAN.
2. Expand the zones to display the member interfaces.
3. Click the SD-WAN Rules tab
4. Review the three rules that you created.
NOTE: The checkmark next to the interface member indicates which interface the rule is
currently favoring to pass traffic through. In the above screenshot, note that any traffic
destined to HQ will use the MPLS lines, even though the HQ_VPN1 member interface is
first in the list. This is because we gave the HQ_VPN1 member a higher cost than the
MPLS interface member. As long as the MPLS member satisfies the SLA, it will be the
preferred interface. The HQ_VPN1 is only used as backup for this traffic.
6. Click End All Sessions button
Generate traffic
1. Return to the Lab Activity tab and click on Bob (in Finance), then select the RDP option
to access Bob’s workstation.
2. Open FortiFone .
3. Likewise, click on Carol (under the Branch 1 section) then select RDP to access her
workstation.

5. After a few pings, press Ctrl C and then ping 8.8.8.8.
6. Open FortiFone .
7. Dial 5051 and click the green phone button.

8. Return to the browser tab for Bob’s workstation.
9. Click on the green phone icon to answer the phone.
10. Return to FGT-BR1 and Click Dashboard > FortiView Sessions.

11. Notice that the ping (ICMP) to 172.16.100.135 and the softphone (both traffic going
back to the HQ ) are directed through the MPLS interface, and the ping to 8.8.8.8 (internet)
is going out the local internet breakout.
Note: Other applications on the Ubuntu device may also be generating internet traffic.
When you click Continue on the FortiFIED app, the MPLS network will be disabled to simulate a
failure and cause the SD-WAN rule to fail over to the other link.
Index: 3.0 (g)
Objective Title: Verify the Failover
Points: 0
Objective Text:
Verify the Failover
Background
A failure in the MPLS line was simulated in order to see the SD-WAN automatically failover to
the HQVPN_1 interface, which in this scenario, was acting as the backup to the MPLS lines
Task
3. Confirm that the rules are now directing traffic to HQ via the HQ_VPN1 tunnel.
Note: you may have to refresh the page
4. Return to Carol’s Workstation tab.

6. After a few pings, press Ctrl C and now ping 8.8.8.8.
7. Notice that the softphone is still connected.
8. Return to FGT-BR1 browser tab
10. Refresh the page. ( button at top right)

Note: You may need to reset the column headings.
11. Now traffic to HQ is going through the HQ_VPN1 tunnel.
When you click Continue on the FortiFIED app, the MPLS network will be re-enabled and cause
the SD-WAN rule to once again favor the MPLS link.
Index: 3.0 (h)
Objective Title: Verify the Return to MPLS
Points: 0
Objective Text:
Background
In the previous objective, a failure in the MPLS line was simulated in order to see the SD-WAN
automatically failover to the HQVPN_1 interface, which in this scenario, was acting as the
backup to the MPLS lines. The MPLS link has now been fixed, and the SD-WAN rule will once
again favor the MPLS link
Task
Note: Notice that the rule still favors the HQ_VPN1 link.
3. Click the Performance SLAs tab.

As you can see in the screenshot above, the MPLS link doesn’t yet meet the SLA thresholds.
4. Refresh the browser page every few seconds until the MPLS link meets the SLA
requirements.
5. Return to the SD-WAN Rules tab.
Note that the MPLS link is now the favored link again.
Index: 4.0
Use Case: Conclusion
Objective Title: End of Session
Points: 0
Objective Text:
You have successfully completed the

Constructing a Secure SD-WAN Architecture
Hands-On Lab
Thank You
To get more information on this or other Fortinet solutions, please consider

looking at Fortinet's NSE training.
Please take a moment to complete our short survey located within web portal tab above.

Lab Guide

Uploaded by

Copyright:

Available Formats

Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab Guide

Uploaded by

Copyright:

Available Formats

Index: 1.

Fast Track Workshops:

SD-WAN Overlay Template

Time to Complete: 20 minutes

Review current templates

Create new Overlay Template

1. Click SD-WAN Overlay, then click Create New

3. Leave the topology at Single HUB.

8. Select FGT-HQ from the Standalone HUB dropdown menu.

10. Click Next.

11. For the Standalone HUB:

12. For the Device Branch Group:

13. Click Next

14. Enable Add Overlay Objects to SD-WAN Template.

16. In the Create new SD-WAN Template window, enter Acmecorp_SD-WAN_Template in

18. Enable Add Overlay Interfaces and Zones.

20. Click Next

In this objective you inspect these auto-created templates.

Examine Auto-created templates

1. Expand Provisioning Templates in the left pane.

Use the following steps to edit the SD-WAN Template.

1. Select the SD-WAN templates tab.

8. Edit HUB1-VPN1, and add set the cost value to 10.

SD-WAN Rule for Traffic between Branch Offices

1. Click Create New in the SD-WAN Rules section.

SD-WAN Rule for HQ Traffic

1. Click Create New in the SD-WAN Rules section.

7. Set Required SLA Target to HQ_SLA#1.

8. Click OK to complete the rule.

1. Click Create New again in the SD-WAN Rules section.

4. Set Outgoing Interface Strategy to Manual.

Push the configurations to Devices

Edit the Default Route

1. Navigate to Device Manager > Devices & Groups.

4. Select the default route Destination: 0.0.0.0/0.0.0.0, Gateway:10.100.0.101

5. Change Interface option to WAN1, WAN2, and HUB1.

8. Select FGT-HQ and Create New > Static Route.

1. Click Install Wizard.

Examining the Configurations

Verify configurations pushed to FGT-BR1

3. Click the SD-WAN Rules tab

4. Open Terminal and ping 172.16.100.135.

7. Dial 5051 and click the green phone button.

10. Return to FGT-BR1 and Click Dashboard > FortiView Sessions.

Verify the Failover

4. Return to Carol’s Workstation tab.

10. Refresh the page. ( button at top right)

Note: that the rule still favors the HUB1-VPN1 link.

3. Click the Performance SLAs tab.

5. Return to the SD-WAN Rules tab.

Standalone SD-WAN via FortiOS

SD-WAN and IPsec VPN Tunnels

Use the following steps to configure the SD-WAN connections:

1. Navigate to Network > SD-WAN.

2. Create New > SD-WAN Zone

3. In the Name field, enter Internet_Breakout

5. Click Create New again, this time select SD-WAN Member.

6. click + VPN. From the Interface dropdown menu.

 Remote IP Address: 100.65.0.101

 Outgoing Interface: ISP_1 Branch1 (port2)