Configuring Fortinet SD-WAN

Prerequisite

Fortinet account.

Procedure

  1. Sign into the Fortinet Administrator Portal.

  2. Go to VPN > IPsec Tunnels.

  3. Select Create New > IPsec Tunnel.

  4. Set Template type to Custom.

  5. In the Name field, enter a name for the VPN tunnel.

    Note - The tunnel name cannot include any spaces or exceed 13 characters.

    For example: TO_Cloud_Prim

  6. To set the network settings:

    1. From the Remote Gateway drop-down list, select Dynamic DNS.

    2. In the Dynamic DNS field, enter the FQDN from the Harmony Connect Portal.

      For example: s1-a98dfc4c6e19e5593b87ac42bc8672df.checkpoint.cloud.

    3. From the Interface drop-down list, select an incoming interface to wan1.

  7. Under Authentication:

    1. From the Method drop-down list, select Pre-shared Key.

    2. In the Pre-shared key field, enter the key value from the Harmony Connect Portal.

    3. Under IKE, set Version as 2.

  8. Under Phase 1 Proposal:

    1. From the Encryption drop-down list, select AES256.

    2. From the Authentication drop-down list, select SHA1.

    3. Set Diffie-Hellman Group as 2.

    4. In the Key Lifetime (seconds), enter 86400.

  9. Under Phase 2 Selectors:

    1. In Local Address field, enter the local IP/Network.

      For Example: 172.18.30.0/255.255.255.0.

    2. In Remote Address field, enter 0.0.0.0/0.0.0.0.

  10. Under Phase 2 Proposal:

    1. From the Encryption drop-down list, select AES256.

    2. From the Authentication drop-down list, select SHA1.

    3. Set Enable Replay Detection, Local Port, Remote Port, and Protocol checkboxes as All.

    4. Enable Auto-negotiate checkbox.

    5. From the Key Lifetime drop-down list, select Seconds.

    6. In the Seconds field, enter 3600.

  11. Select OK.

  12. Repeat the steps to create the second tunnel.

  1. Go to Network > Policy Routes and select Policy Route.

  2. In the Incoming interface, select Vlan/Lan.

    For example: lan30.

  3. Under Source Address, enter the IP/Network.

    For example: 172.18.30.0/255.255.255.0.

  4. Under Destination Address, enter the IP/Network value as 0.0.0.0/0.0.0.0.

  5. Set Protocol as Any.

  6. Under Then, set Action as Forward Traffic.

  7. Enable Outgoing interface and select the first VPN Tunnel.

    For example: TO_Cloud_Prim.

  8. In the Gateway address, enter the value 0.0.0.0.

  9. Set Status as Enabled.

  10. Select OK.

  1. Go to Network > Static Routes and select Static Route.

  2. Set the Destination as Subnet.

  3. From the Interface drop-down list, select the first VPN tunnel.

    For example: To_Cloud_Prim

  4. Set the Status as Enabled.

  5. Select OK.

  1. Go to Policy & Objects > Firewall Policy and select New Policy.

  2. In the Name field, enter a policy name.

    For example To_Cloud_Primary

  3. In Incoming Interface, select Vlan/Lan.

    For example lan30.

  4. In Outgoing interface, select the first VPN tunnel.

    For example To_Cloud_Prim.

  5. In Source, select the network address.

    For example: Vlan30.

  6. Set the Destination as All.

  7. Set Schedule as Always.

  8. Set Service as ALL.

  9. Set Action as Accept.

  10. Disable NAT.

  11. Enable Log Allowed Traffic and select All Sessions.

  12. Select Enable this policy.

  13. Select OK.