Rapport PFE SDWAN Nourhen & Mortadha Final Copy - pdf-1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 68

Carthage University

Tunisian Republic
Higher Institute of Applied Sciences
Ministry of Higher Education
and Technology of Mateur.
and Scientific Research

End of studies project


Presented to

The Higher Institute of Applied Sciences and Technology of


Mateur

In order to obtain the Applied License in

Information and Communication Technologies


Specialization: Telecommunications

By
Nourhen Ouhibi & Mortadha Jabari

Implementation of Fortinet SDWAN


solution with security and QoS features

Defended on 15 June 2023 before the jury commission composed of:

Dr. Walid Boudhief Président


Dr. Kais Feltekh Rapporteur
Dr. Hafedh Hrizi Supervisor
M. Hanafi Faycel Professional Supervisor

Academic year 2022-2023


Dedication

I dedicate this work to those who are most dear to me in the world

To my Family

May this work be an expression of my gratitude for the sacrifices you have
made, the moral and material support that you have never ceased to give me.
You have done everything for my happiness and success.

To my teammate Nourhen Ouhibi.


I give you all the gratitude for making this doable. Through this journey you
were hardworking, encouraging and very helpful to me. I am sincere to every
Instant we have spent. Looking for more successes together

Mortadha Jabari

I wanted to take a moment to express my deepest gratitude

To my Family

I hope this work serves as an expression of my gratitude for all the sacrifices
you have made and the unwavering moral and material support you have
provided me. Your dedication to my happiness and success has been
unparalleled.
To my Teammate Mortadha Jabari

thank you for your unwavering support, encouragement and belief in me that
was a source of inspiration and strength and I am grateful for every moment we
have spent. I look forward to many more successes together
Nourhen Ouhibi
Thanking

At the end of this work, we would like to thank God for giving us the strength
and courage to complete it. We would also like to express our sincere gratitude
to our supervisor Dr. Hrizi Hafedh for his guidance, support, valuable
suggestions, and informative advice throughout this project.

Our deepest thanks and respect go to Mr. Hanafi Faycel, our supervisor at
SOTETEL, for his great availability towards us, his valuable help and relevant
advice, as well as his constructive criticism throughout this project.

We would also like to extend our sincere thanks to all those who contributed to
our education, especially the professors and educators at the Higher Institute of
Applied Sciences and Technologies of Mateur.

Our sincere thanks to the president and members of the jury for the honor they
give us in accepting to judge this work.
Table of content

Dedication................................................................................................
Thanking ..................................................................................................
Table of content .......................................................................................
List of Tables ...........................................................................................
List of Figures .........................................................................................
List of Acronyms .....................................................................................
General Introduction..............................................................................1
Chapter 1 Project Context .....................................................................2
Introduction ........................................................................................................................................................ 2
1. Host organization overview............................................................................................................................ 2
1.1. Introduction ............................................................................................................................................. 2
1.2. SOTETEL Organigram ........................................................................................................................... 2
1.3 SOTETEL logo ........................................................................................................................................ 3
2. Project introduction ........................................................................................................................................ 3
2.1. Study of the existing ............................................................................................................................... 3
2.2. Criticism and problematic ....................................................................................................................... 3
2.3. Project Goals ........................................................................................................................................... 4
2.4. Network topology ................................................................................................................................... 4
3. Requirements.................................................................................................................................................. 5
3.1. Hardware environment............................................................................................................................ 5
3.2. Software and Virtual environnement ...................................................................................................... 5
3.3. Interfaces identification: ......................................................................................................................... 6
3.4. Virtual interfaces ..................................................................................................................................... 6
3.5. Local Subnets .......................................................................................................................................... 7
4. Methodology .................................................................................................................................................. 7
Conclusion ......................................................................................................................................................... 8
Chapter 2: Theory overview ..................................................................9
Introduction ........................................................................................................................................................ 9
1. SD-WAN technology ..................................................................................................................................... 9
1.1. SDWAN Concept.................................................................................................................................... 9
1.2. SDWAN layers ....................................................................................................................................... 9
1.3. SD-WAN principles .............................................................................................................................. 10
2. MPLS ........................................................................................................................................................... 11
2.1. MPLS concept....................................................................................................................................... 11
2.2. MPLS Components ............................................................................................................................... 12
2.3. MPLS functionality ............................................................................................................................... 12
3. SDWAN and MPLS comparison ................................................................................................................. 13
4. VPN .............................................................................................................................................................. 13
4.1. Site-to-Site VPN ................................................................................................................................... 14
4.2. IPsec VPN ............................................................................................................................................. 14
4.3. IPsec Tunnel Process ............................................................................................................................ 14
5. FortiGate Firewall ........................................................................................................................................ 15
5.1. NGFW concept ..................................................................................................................................... 15
5.2. FortiGate use cases ............................................................................................................................... 16
5.3. FortiGate NGFW 60F series ................................................................................................................. 16
Conclusion ....................................................................................................................................................... 17
Chapter 3: SDWAN Implementation ..................................................18
Introduction ...................................................................................................................................................... 18
1. Connecting the devices................................................................................................................................. 18
1.1. Setting up the management interface .................................................................................................... 18
1.2. Logging in ............................................................................................................................................. 18
1.3. Connecting FortiGate ports ................................................................................................................... 19
2. Configuring FortiGate Firewall .................................................................................................................... 19
2.1. Local Interfaces ..................................................................................................................................... 19
2.2. Configuring the WAN interfaces .......................................................................................................... 21
2.3. Connecting to Internet through SDWAN .............................................................................................. 22
2.4. Configuring MPLS interface ................................................................................................................. 22
3. Configuring Branch Site Router ................................................................................................................... 23
3.1. Interfaces ............................................................................................................................................... 23
3.2. Connecting Branch Site to Internet ....................................................................................................... 23
3.3. Default Static route ............................................................................................................................... 24
3.4. DHCP server configuration ................................................................................................................... 24
4. MPLS circuit ................................................................................................................................................ 24
4.1. MPLS components ................................................................................................................................ 24
4.2. setting up the circuit .............................................................................................................................. 24
4.3. Static Routing configuration ................................................................................................................. 26
5. IPsec VPN tunnels ........................................................................................................................................ 26
5.1. Branch Site configuration ..................................................................................................................... 26
5.2. HQ configuration .................................................................................................................................. 27
5.3. Redundant IP sec tunnel........................................................................................................................ 30
5.4. Adding IPsec tunnels to SDWAN zone ................................................................................................ 30
6. SLAs configurations ..................................................................................................................................... 30
6.1. HQ FortiGate SLAs .............................................................................................................................. 30
6.2. Branch Site Router SLAs ...................................................................................................................... 32
7. Testing .......................................................................................................................................................... 33
7.1. Internet SLA graph ............................................................................................................................... 33
7.2. Branch Site SLA graph ......................................................................................................................... 33
7.3. Branch site accessibility to Internet ...................................................................................................... 34
Conclusion ....................................................................................................................................................... 34
Chapter 4: Security and QoS ...............................................................35
Introduction ...................................................................................................................................................... 35
1. Address Objects ........................................................................................................................................... 35
1.1. Trusted lan group .................................................................................................................................. 35
1.2. P2P address group ................................................................................................................................. 36
1.3. Web server virtual IP ............................................................................................................................ 37
2. SDWAN rules for Traffic priority and QoS ................................................................................................. 37
2.1. Real Time Traffic rule: ......................................................................................................................... 37
2.2. None Real Time Traffic ........................................................................................................................ 39
2.3. Failover Rules ....................................................................................................................................... 40
3. Branch Site Router tracked static routes ...................................................................................................... 41
3.1. Route to HQ through MPLS ................................................................................................................. 41
3.2. Route to HQ through VPN tunnels 1&2 ............................................................................................... 41
3.3. Tracking Default static route ................................................................................................................. 41
3.2. Tracked static routing table ................................................................................................................... 41
4. IPv4 Firewall Policies. ................................................................................................................................. 42
4.1. Intervlan policy ..................................................................................................................................... 42
4.2. Access internet policy ........................................................................................................................... 42
4.3. Branch site traffic .................................................................................................................................. 43
4.4. Access DMZ web server firewall policy ............................................................................................... 44
4.5. Branch-site access internet Policy ......................................................................................................... 44
4.6. Firewall policies summery table ........................................................................................................... 45
5. Security feature: guest web portal authentication ......................................................................................... 46
6. Testing .......................................................................................................................................................... 46
6.1. SDWAN rules Decisions ...................................................................................................................... 46
6.2. HQ internet failover .............................................................................................................................. 47
6.3 Branch Site Internet failover .................................................................................................................. 47
6.4. Testing Connectivity between sites and failover ................................................................................... 47
6.5. Testing DMZ configuration .................................................................................................................. 48
6.6. QoS traffic testing ................................................................................................................................. 49
6.5. Testing guests web portal and reachability ........................................................................................... 50
Conclusion ....................................................................................................................................................... 50
General Conclusion .............................................................................51
References ...............................................................................................
Annex.......................................................................................................
List of Tables

Table 1 Ports and Interfaces Designations and IPv4 addresses ««««.................................6


Table 2 VPN interfaces««««««««««««««.......................................................6
Table 3 VLANs, subnets Designations and IPv4 addresses.......................................................7
Table 4 Firewall policies exported«««««««««««««««««««««««5
List of Figures

Figure 1 SOTETEL organigram ............................................................................................................. 2


Figure 2 SOTETEL logo [7] ................................................................................................................... 3
Figure 3 Network topology ..................................................................................................................... 4
Figure 4 ISR 1921[2] .............................................................................................................................. 5
Figure 5 Cisco Catalyst 2960[1] ............................................................................................................. 5
Figure 6 Scrum process [5] .................................................................................................................... 8
Figure 7 SDWAN principles ................................................................................................................. 11
Figure 8 MPLS label header [6] ............................................................................................................ 12
Figure 9 MPLS architecture [6] ............................................................................................................ 12
Figure 10 IPsec Tunnel ......................................................................................................................... 15
Figure 11 FortiGate NGFW 60F front and back view [4] .................................................................... 16
Figure 12 Connecting Console cable to FortiGate 60F......................................................................... 18
Figure 13 Setting up management interface via CLI ............................................................................ 18
Figure 14 FortiGate login page ............................................................................................................. 18
Figure 15 Connecting the Devices ........................................................................................................ 19
Figure 16 Configuring VLAN10 interface............................................................................................ 19
Figure 17 Configuring DMZ interface .................................................................................................. 20
Figure 18 Core switch VLAN database ................................................................................................ 20
Figure 19 Creating lan zone virtual interface........................................................................................ 21
Figure 20 Configuring WAN1 and WAN2 interfaces .......................................................................... 21
Figure 21 Adding WAN1 and WAN2 to SDWAN zone ...................................................................... 22
Figure 22 Default Static Route through SDWAN interface.................................................................. 22
Figure 23 Configuring MPLS interface and adding it to SDWAN zone .............................................. 22
Figure 24 MPLS circuit topology ......................................................................................................... 24
Figure 25 LDP neighbourhood establishment ...................................................................................... 25
Figure 26 Trace route test inside the MPLS circuit .............................................................................. 26
Figure 27 LDP bindings table ............................................................................................................... 26
Figure 28 VPN creation wizard interface ............................................................................................. 27
Figure 29 Configuration of remote gateway for VPN tunnel 1 ............................................................ 28
Figure 30 IPsec VPN phase 1 Configuration ........................................................................................ 28
Figure 31 IPsec VPN phase2 configuration .......................................................................................... 29
Figure 32 Configuring vpn-tunnel1 virtual interface ............................................................................ 29
Figure 33 Adding the 2 vpn-tunnel interfaces to SDWAN zone .......................................................... 30
Figure 34 Internet SLA and Branch Site SLA creation ........................................................................ 31
Figure 35 Internet SLA Latency graph ................................................................................................. 33
Figure 36 Branch Site SLA Latency graph ........................................................................................... 33
Figure 37 Branch Site internet connectivity test ................................................................................... 34
Figure 38 VLAN 10 address object ...................................................................................................... 35
Figure 39 trusted local lan address group ............................................................................................. 35
Figure 40 VPN1 net , VPN2 net and MPLS net address objects .......................................................... 36
Figure 41 P2P address group ................................................................................................................ 36
Figure 42 Web Server Port forwarding configuration .......................................................................... 37
Figure 43 Access Branch Site Real Time Traffic Rule ......................................................................... 38
Figure 44 Access Internet Real Time Traffic Rule ............................................................................... 38
Figure 45 Access Branch Site None Real Time Traffic Rule ............................................................... 39
Figure 46 Access Internet None Real Time Traffic Rule ..................................................................... 39
Figure 47 Access Internet Rule ............................................................................................................. 40
Figure 48 Access Branch Site Rule....................................................................................................... 40
Figure 49 Branch site tracked Static Routing Table ............................................................................. 41
Figure 50 Firewall policy intervlan....................................................................................................... 42
Figure 51 Firewall policy Internet access ............................................................................................. 42
Figure 52 Firewall policy to branch site ............................................................................................... 43
Figure 53 Firewall policy from branch site ........................................................................................... 43
Figure 54 Firewall policy from internet to DMZ web server................................................................ 44
Figure 55 Firewall policy branch site access internet ........................................................................... 44
Figure 56 Guests web portal ................................................................................................................. 46
Figure 57 All SDWAN rules overview ................................................................................................. 46
Figure 58 HQ internet failover test ....................................................................................................... 47
Figure 59 Branch site internet failover test ........................................................................................... 47
Figure 60 Connectivity between sites and failover test ........................................................................ 48
Figure 61 web server reachability test .................................................................................................. 48
Figure 62 Real time traffic test ............................................................................................................. 49
Figure 63 None Real time traffic test .................................................................................................... 49
Figure 64 Performance comparison graph ............................................................................................ 49
Figure 65 Guest authentication portal test ............................................................................................ 50
Figure 66 Guests reachability test ......................................................................................................... 50
List of Acronyms

A
ACL Access Control List
C
CCTV Closed-Circuit television
CSV Comma Separated Values
CoS Class of Service
D
DES Data Encryption Standard
DH Diffie±Hellman
DMZ Demitiralized Zone
DSL Digital Subscriber Line
DSCP Differentiated Services Code Point
E
ESP Encapsulating Security Payload
F
FortiOS Fortinet Operating System
FTP File Transfer Protocol
H
HQ Head Quarters
HTTP Hyper Text Transfer Protocol
HTTPs Hyper Text Transfer Protocol Secure
I
ICMP Internet Control Message Protocol
IKE Internet Key Encryption
IOS Internetworking Operating System
IPSec Internet Protocol Security
IPv4 Internet Protocol version 4
ISAKMP Internet Security Association and Key Management Protocol
ISR Integrated Service Router
ISP Internet Service Provider
L
LAN Local Area Network
LTE Long Term Evolution
LDP Label Distribution Protocol
LER Label Edge Router
LSR Label Switching Router
LSP Label Switching Path
M
MD5 Message Digest Method 5
Mgmt Management
MPLS Multi-Protocol Label Switching
N
NAT Network Address Translation
O
OF Optical Fiber
OSPF Open Shortest Path First
Q
QoS Quality Of Service
R
RT Real Time
S
SDN Software Defined Network
SDWAN Software Defined Wide Area Network
SLA Service Level Agreement
SA Security Association
T
TCP Transmission Control Protocol
ToS Type of Service
TFTP Trivial File Transfer Protocol
U
UDP User Datagram Protocol
V
VDSL Very-high-bitrate Digital Subscriber Line
VLAN Virtual Local Area Network
VoIP Voice over Internet Protocol
VPN Virtual Private Network
VTI Virtual Tunnel Interface
W
WAN Wide Area Network
Z
ZTNA Zero Trust Network Access
General Introduction

In today's business landscape, enterprise networks play a critical role in connecting


computers and devices across different company branches, including data centres,
headquarters, and other sites. These networks facilitate secure data sharing among users and
devices within the enterprise network, and depending on the organizational structure and
operational requirements, they may comprise WANs and LANs. To enable such connectivity
between these networks, there are several solutions available, with the most recent being
Software-Defined Wide Area Network (SDWAN).

Our project focuses on deploying an SDWAN solution for an industrial company, providing
them with an efficient means of connecting two sites while maintaining Security and QoS. The
project consists of four chapters:

Chapter 1: Project context - In this section, we introduce the project topic and outline the goals
we aim to achieve through implementation.

Chapter 2: Theory Overview - Here, we delve into the theory behind the SDWAN solution,
studying relevant documentation and resources.

Chapter 3: SDWAN implementation - This section details the configurations made on a


FortiGate Firewall to deploy the SDWAN.

Chapter 4: Security and QoS configuration - The final chapter provides a detailed guide to the
steps taken, to configure SDWAN rules and firewall policies

1
Chapter 1 Project Context

Introduction
In this chapter, we will provide a comprehensive overview of the project. We will begin
by introducing the host organization, SOTETEL, before diving into the current state, the
challenges at hand, and the project objectives. Finally, we will select a methodology to guide
us in our solution.
1. Host organization overview
1.1. Introduction
SOTETEL, a telecommunications company established in 1981, is renowned for its
innovative approach to maintaining and implementing private and public telecommunication
networks in Tunisia and worldwide.
SOTETEL, a subsidiary of Tunisie Télécom, as the Tunisian Telecommunications Entreprises
Company. The company specializes in maintaining and implementing telecommunication
network infrastructures and has three main shareholders: Tunisie Télécom (35%), El Atheer
Funds (7.47%), and various others (57.33%). [7]
1.2. SOTETEL Organigram

Figure 1 SOTETEL organigram


2
1.3 SOTETEL logo

Figure 2 SOTETEL logo [7]

2. Project introduction
2.1. Study of the existing
The organization has two branches: HQ, which has abundant resources including servers
and databases, and a smaller branch site that relies on HQ for services. Both branches have
internet access through one or more providers, but HQ has better internet access with two links
- one using OF technology, which provides excellent performance in terms of bandwidth and
latency, and the other is a VDSL line that remains unused after migrating to OF technology.
The branch site, on the other hand, only has one VDSL subscription, which the admins found
sufficient due to its lower traffic compared to HQ. An MPLS circuit connects the two sites,
with medium to high data flow traffic between them.
2.2. Criticism and problematic
Upon analysis, several issues are evident:
x The network infrastructure relies heavily on the MPLS network, which is a standalone
circuit and cannot handle the significant amount of traffic between the two sites.
x The loss of the MPLS network leads to a loss of connectivity between the two sites.
x The VDSL link is capable of efficiently transmitting lightweight to medium non-real-time
traffic, but it is being underutilized at the HQ.
x Switching between VDSL and FO links requires manual editing of the default static route,
which can be time-consuming.
x Only one link is utilized at the branch site to access public cloud services, which poses a
risk to connectivity, and the local networks lack proper traffic filtering and security
policies, leaving them vulnerable to security breaches.

3
2.3. Project Goals
Our objective is to find a modern and reliable solution to the identified problems:
x We create an SDWAN interface that will enable us to use both WAN links in HQ
dynamically based on preference and traffic type, without the need for human
intervention.
x We also want to secure the LAN using strong rules, policies, and a DMZ zone.
x We need more than one way to connect both sites and not rely on MPLS, to achieve this,
we will create VPN tunnels that connect both sites over the internet in a secure way.
x We also want to split traffic between sites based on the RT and non-RT criteria using
SDWAN rules
The newly introduced solution that meets all these needs is SDWAN.
2.4. Network topology
In this figure we have the main topology of the network:

Figure 3 Network topology

4
3. Requirements
3.1. Hardware environment
x Cisco ISR 1921 (IOS 15.1)
The Cisco® 1921 ISR have been developed using 25 years of Cisco innovation and product
leadership as their foundation. These new platforms have been designed to facilitate the next
stage of branch-office development. [2]

Figure 4 ISR 1921[2]

x Cisco Switches: Cisco Catalyst 2960 (IOS 15.1)


The Cisco® Catalyst® 2960 Series comprises of a range of standalone, fixed-configuration
switches that offer both Fast Ethernet and Gigabit Ethernet connectivity, while supporting
advanced switching services, enhanced security, IP communications, wireless networking, and
scalable management. [1]

Figure 5 Cisco Catalyst 2960[1]

x FortiGate Firewall: FortiGate NGFW 60F.


x 2 Laptops.

3.2. Software and Virtual environnement


x VMware Workstation pro 2016 is a type 2 hypervisor that's widely used to create multiple
virtual machines. We'll be using it to host the GNS3 virtual machine.

x GNS3 v2.37 is a free and open-source software for simulating complex networks using
virtual machines and components like routers and firewalls.
x GNS3 virtual machine v2.37 is a lightweight and robust way to create GNS3 topologies
without common issues encountered in a local install.
x FortiGate-VM is a virtual appliance that monitors and regulates virtual traffic on
virtualization platforms like VMware vSphere, KVM, and AWS.
x Cisco 7200 is a virtual appliance that runs IOS 12.4 and is suitable for GNS3 projects.
x Webterm is a Debian-based virtual appliance that contains Firefox browser and networking
utilities.

5
x NETerm is a Linux kernel-based virtual appliance that emulates WAN links with features
like bandwidth limitation, delay, jitter, and packet loss.
x Toolbox is a virtual appliance that contains server-side software for secondary management
of network devices like nginx, FTP, TFTP, syslog, DHCP, and SNMP server.

3.3. Interfaces identification:


We set up the interfaces IPv4 addressing plan:
Port name /
Device Role IPv4 address
number
Wan1 (port1) Access internet (OF) 100.10.10.2/24
Wan2 (port2) Access internet (VDSL) 100.20.20.2/24
MPLS (port3) Access Branch site 172.17.0.1/30
HQ FortiGate
LAN (port4) Trunk port N/A
Mgmt.(port5) Manage the FortiGate 192.168.100.1/24
DMZ (port6) DMZ 192.168.50.1/24
Gig0/0 Access internet (VDSL) 100.30.30.2/24
Branch Site Router Gig1/0 LAN 10.10.0.1/24
Gig2/0 Access HQ site 172.16.0.2/24
fa0/0 MPLS gateway for HQ 172.17.0.2/30
LER-HQ
fa1/0 MPLS facing interface 1.1.1.2/30
fa0/0 Label switching interface 2.2.2.2/30
LSR
fa1/0 Label switching interface 1.1.1.1/30
fa0/0 MPLS facing interface 2.2.2.1/30
LER-BranchSite
fa1/0 MPLS gateway for Branch 172.16.0.1/30
Table 1 Ports and Interfaces Designations and IPv4 addresses
3.4. Virtual interfaces
Also we identify the VPN tunnel interfaces
Device Virtual interface Role IPv4 address
HQ FortiGate VPN tunnel1(WAN1) IPsec Tunnel 172.16.1.1/30
VPN tunnel2(WAN2) IPsec Tunnel 172.16.2.1/30
Branch Site Router VTI tunnel1 IPsec Tunnel 172.16.1.2/30
VTI tunnel2 IPsec Tunnel 172.16.2.2/30
Table 2 VPN interfaces

6
3.5. Local Subnets
Subnets range need to be selected in order to create address objects inside the FortiGate data
base. Note that each VLAN has a virtual interface on the FortiGate firewall.
Site Device subnet Role IPv4 net address
VLAN 10 Servers and printers 192.168.10.0/24
VLAN 15 Administration Dep 192.168.15.0/24
VLAN 20 Maintenance Dep 192.168.20.0/24
VLAN 25 Engineering Dep 192.168.25.0/24
HQ FortiGate
VLAN 30 Marketing Dep 192.168.30.0/24
VLAN 35 IT Dep and IoT/CCTV 192.168.35.0/24
VLAN 40 Guests 192.168.40.0/24
DMZ Web and FTP servers 192.168.50.0/24
Branch Site Router LAN Local network 10.10.0.0/24
Table 3 VLANs, subnets Designations and IPv4 addresses
4. Methodology
Agile scrum methodology is a project management system that relies on incremental
development. Each iteration consists of two- to four-week sprints, where the goal of each sprint
is to build the most important features first and come out with a Potentially Shippable Product.
It is flexible and does not require strict structure. [5]
Each sprint begins with a planning meeting where the team selects the work items they will
attempt to complete during the sprint. The team then proceeds to work on the selected items,
meeting daily for brief stand-up meetings to ensure everyone is on the same page and to identify
any impediments that may be preventing progress. At the end of the sprint, the team holds a
review meeting to demonstrate the work completed and to gather feedback. The team also holds
a retrospective meeting to discuss what went well and what could be improved in the next sprint
So, we are going to utilize SCRUM methodology in the realization of our project.

7
Figure 6 Scrum process [5]

Conclusion
Now that we have introduced the problem and outlined the goals of our project, as well as
identified the requirements we can begin exploring the theory behind SDWAN
implementation.

8
Chapter 2: Theory overview

Introduction
In this section, we will delve into the theory required for our project. We will begin by
outlining the fundamental concepts of the Fortinet SDWAN solution. From there, we will
conduct a brief analysis of MPLS circuits and draw comparisons between the two
technologies. Then we introduce the concept of VPN. Finally, we will introduce the FortiGate
Firewall.
1. SD-WAN technology
1.1. SDWAN Concept
It is a networking technology that uses Software-Defined Networking (SDN) to optimize
and manage the performance of the Wide Area Network (WAN). It simplifies the management
of the WAN by using a centralized control function to securely distribute traffic directly over
the internet from branch locations to trusted SaaS and LaaS providers. This Virtual WAN
architecture allows organizations to connect users, applications, and data across a variety of
locations while delivering a high-quality user experience, increasing application performance,
agility, and business productivity.
1.2. SDWAN layers
An SD-WAN consists of three layers:
x Management and orchestration: This layer include FortiManager and FortiAnalyzer,
which provide uniform management and automated orchestration using REST APIs.
The layer also includes template-based solutions and performs logging, monitoring, and
analysis.
x Control, data plane, and security: The FortiGate here is the responsible for consolidating
underlays and overlays into SD-WAN zones. It offers scalable VPN solutions using
ADVPN, defines static and dynamic routing, and performs health checks, SD-WAN
monitoring, NGFW firewalling, and application-aware steering.
x Network access: This layer includes Fortis witch and FortiAP devices, which perform
WAN segmentation and provide built-in network access control.
¾ Overall, these three layers work together to create an efficient and secure SD-WAN
architecture that improves network performance and enables organizations to seamlessly
connect their users, applications, and data across multiple locations".[3]

9
1.3. SD-WAN principles
An SDWAN solution comports 5 pillars in order to function properly:
x Underlay:
which includes the technologies used to connect to the WAN and identify link properties.
x Overlay:
which manages VPN tunnels between sites for secure and redundant traffic transport.
x Routing:
which uses traditional routing with SDWAN rules to steer traffic based on QoS and other
criteria.
x Security:
achieved through NGFW features such as firewall policies and encryption. By implementing
security measures, an SDWAN solution can ensure the reliability and guaranteed delivery of
traffic.
x SDWAN:
Makes decisions on which optimal path to use for each session, frame, or data unit using
four elements:
o SDWAN zones:
The virtual interface that holds all underlays and overlays interfaces together. Multiple
zones can be created and grouped together as needed
o SDWAN members:
A member is simply the port that will run the traffic, each member must be assigned to a
zone, has gateway, and can have a priority/cost value.
o Performance SLAs:
Also known as Health-checks Monitor SDWAN members, identify failures, and give
statistics about QoS of each member.
SLAs can be used in two ways:
™ Active probing: by sending ICMP-echo packets to a server.
™ Passive probing by monitoring data passing through firewall policies.
o SDWAN Rules
use matching criteria such as application type, TCP/UDP ports, or ToS/DSCP values to steer
traffic. The strategy used to select the best link can be based on the member with the best
measured quality, the lowest cost that meets the SLA target requirements, maximum
bandwidth, or preferred members manually identified by admins. [3]

10
Figure 7 SDWAN principles
2. MPLS
2.1. MPLS concept
Multiprotocol Label Switching, or MPLS, is a switching mechanism that routes traffic along
the shortest path based on "labels" on behalf of network addresses to handle routing across
private WANs.
As an adaptable and protocol-independent solution, MPLS assigns labels to each packet to
control the path that the packet follows.
MPLS considerably increases the speed of traffic, so users experience no downtime while
connecting to the network.
An MPLS network is Layer 2.5 of the OSI 7-layers hierarchy, it sits between Data link layer
(layer2) and network layer(layer3). [8]

11
2.2. MPLS Components
MPLS has 4 major components:
x Labels are short identifiers used by LSRs to forward packets on an LSP. MPLS labels
are 4 bytes in length.

Figure 8 MPLS label header [6]

x Label edge routers (LERs) are located at the edge of MPLS circuits and act as
gateways between the IP and label domains, forwarding IP packets in and out of the
MPLS circuit.
x Label switching routers (LSRs) are located in the core of MPLS circuits and are
responsible for forwarding labels between LERs and within the MPLS domain.
x LSP: LSRs use the LDP protocol to create logical paths within the MPLS domain,
which the labels will follow. [6]

Figure 9 MPLS architecture [6]

2.3. MPLS functionality


MPLS assigns a fixed-length label to the Layer 3 header of a packet, identifying a
forwarding equivalence class. The label is added at the ingress router and carried along with
the packet. At each MPLS router, the label is exchanged and forwarding decisions are made
based on the label in the MPLS forwarding table. This simplifies the forwarding process and

12
eliminates complex header analysis. Routing policy at subsequent hops may determine the
initial label selection instead of the Layer 3 packet header.
3. SDWAN and MPLS comparison
MPLS has been the traditional choice for enterprise connectivity, but with the rise of cloud-
based applications, it has become less practical and costlier. As a result, many organizations
DUHQRZRSWLQJIRUDPRGHUQVROXWLRQ³6'
-:$1´
.
Below, is a comparison, between MPLS and SD-WAN, that explains why SD-WAN is often
the better choice for modern businesses:
‡03/6LVOLPLWHGWRRQHOLQNZKLOH6'
-WAN provides flexibility by using multiple WAN
links, including MPLS, wireless, broadband, VPNs, and the internet.
‡03/6LVGHVLJQHGIRUFRQQHFWLQJUHPRWHORF
-WAN
enables end-to-end enterprise connectivity over large geographical distances, allowing users to
work regardless of location.
‡6'
-WAN offers centralized management and is often cloud-managed, while MPLS requires
complex configuration and management.
‡-WAN
6' offers advanced analytics capabilities to optimize application performance and
ensure application resiliency, while MPLS lacks this level of visibility and control. [8]
4. VPN
A VPN is a technology that allows users to create a secure, encrypted connection to another
network over the internet. VPNs are commonly used to protect sensitive data transmission,
bypass internet censorship, and access geographically-restricted content
Some of the main features of VPNs include:
x Encryption of data to ensure that it is secure and private.
x Authentication to verify the identity of the user.
x Tunneling to create a virtual connection between two networks, allowing users to
access resources as if they were on the same local network.
VPNs can be categorized into different types, including:
x Remote Access VPN: enables users to connect securely to a private network from
remote locations over the internet.
x Site-to-Site VPN: connects two or more networks together over the internet, allowing
devices in each network to communicate with each other as if they were on the same local
network.

13
4.1. Site-to-Site VPN
Site-to-Site VPN (also known as router-to-router VPN or LAN-to-LAN VPN) is a type of
VPN that connects two or more networks together over the internet. Site-to-Site VPN is
commonly used by businesses and organizations to securely connect multiple office locations
or data centers together over the internet. With a Site-to-Site VPN, employees can access
resources on a company¶
s network from any location, as if they were physically present in the
office. Site-to-Site VPNs typically use encryption protocols such as IPsec to secure the
connection.
4.2. IPsec VPN
IPsec (Internet Protocol Security) VPN is a type of VPN that provides encryption and
authentication for IP packets in a network. It is a protocol suite that ensures the secure
transmission of data over the internet. IPsec VPN is commonly used for Site-to-Site VPN
connections, as it provides a high level of security, encrypting all traffic between the connected
networks. However, setting up an IPsec VPN can be complex, and may require technical
expertise. Additionally, IPsec VPN can have some performance overhead due to the encryption
and decryption of data packets, which can affect network performance, especially for large data
transfers.

4.3. IPsec Tunnel Process


IPsec operation involves five main steps that can be broken down as follows:
x The IPsec process is initiated by interesting traffic which refers to traffic that meets the
criteria specified in the IPsec security policy configured in the IPsec peers. This process
triggers IKE process.
x During IKE phase 1, the IPsec peers are authenticated, and IKE SAs are negotiated to
establish a secure channel for the negotiation of IPsec SAs in phase 2.
x IKE phase 2 involves the negotiation of IPsec SA parameters and the establishment of
matching IPsec SAs in the peers.
x Data transfer takes place based on the IPsec parameters and keys stored in the SA
database.
x IPsec SAs terminate either through deletion or by timing out, thus terminating the IPsec
tunnel. [11]

14
Figure 10 IPsec Tunnel
5. FortiGate Firewall
FortiGate firewall is a security device manufactured by the IT Cyber-security leaders
Fortinet, it is a part of what is known as NGFW which provide an ultimate threat protection for
businesses of all sizes.
5.1. NGFW concept
A classic Firewall is a security device that provide a stateful inspection of traffic passing
through it according tR UXOHV SURYLGHG E\ DGPLQV VXFK DV
while a NGFW has much more than that:
x Stateful inspection, which allows the firewall to track the state of network connections
and only allow authorized traffic.
x Integrated intrusion prevention, which helps to detect and block attempts to breach the
network.
x Application awareness and control, which enables the firewall to identify and prevent
risky or unauthorized applications from accessing the network.
x The ability to draw on threat intelligence sources, which helps the firewall to stay up-
to-date with the latest security threats and respond accordingly.
x Upgrade paths that allow for the incorporation of future information feeds, ensuring
that the firewall remains effective and relevant over time.
x Techniques for addressing evolving security threats, so that the firewall can adapt to
new and emerging forms of attack. [4]

15
5.2. FortiGate use cases
A FortiGate firewall can shine to its full potential and provide a great service in these cases
as it has the best tools for the job:
x NGFW: protecting networks using the next-generation capabilities.
x Secure SDWAN: deploying a secure SDWAN solution.
x Universal ZTNA: Control application access from anywhere with universal access
policies. [4]
5.3. FortiGate NGFW 60F series
x FortiOS:
FortiOS is a proprietary operating system used in FortiGate 60F. It provides security features
such as firewall, VPN, antivirus, intrusion prevention, web filtering, and more. FortiOS is
known for its ease of use and advanced security capabilities, making it popular among
businesses of all sizes. [4]
x Configuring FortiGate 60F:
To access the configuration of a FortiGate Device there is two ways:
x CLI: using a console port to access the Command line interface and start the
configuration process.
x GUI: it is possible to configure the device using the web portal as it by default have
a HTTPs/HTTP access on the all its local ports, the default IP address is
192.168.1.99/24.
x Hardware:
FortiGate 60F is considered in the entry level category for branch sites and small
businesses.

Figure 11 FortiGate NGFW 60F front and back view [4]

16
It has a total of:
1. 1xUSB port
2. 1xConsol port
3. 2xRj45 Gigabit-Ethernet WAN ports
4. 1xRj45 Gigabit-Ethernet DMZ port
5. 2xRj45 Gigabit-Ethernet switch ports model1
6. 5xRj45 Gigabit-Ethernet switch ports model2 [4]
Conclusion
With a firm understanding of the theoretical foundations of our project, we are now prepared
to move on to the practical phase. We will follow the necessary steps to achieve the goals
outlined earlier, building on the knowledge gained in the theoretical section

17
Chapter 3: SDWAN Implementation

Introduction
In this chapter, we will be discussing the implementation of Fortinet SDWAN, outlining the
steps taken to achieve our goals.
1. Connecting the devices
1.1. Setting up the management interface
To create the management interface, we connect a console cable to the FortiGate and use
Putty to log on to the terminal.

Figure 12 Connecting Console cable to FortiGate 60F


After creating an administrator account: (user: admin password: admin) we use port5 as a
management interface with an IPv4 192.168.100.1/24.

Figure 13 Setting up management interface via CLI


1.2. Logging in
after setting up this interface we use it to access the GUI of the FortiGate

Figure 14 FortiGate login page

18
1.3. Connecting FortiGate ports
we connect the FortiGate wan ports to the corresponding modems (OF modem and VDSL
modem) and we connect the trunk port to the core switch that will manage VLANs

Figure 15 Connecting the Devices


2. Configuring FortiGate Firewall
2.1. Local Interfaces
On the GUI navigate to Network>interfaces> then create a new interface called vlan10 we
set an IPv4 address of 192.168.10.1/24, role LAN and VLAN id = 10 and we use port4 as a
trunk port and we set a DHCP pool in order for the hosts to get configurations dynamically

Figure 16 Configuring VLAN10 interface

19
The same steps are done in order to create all other interfaces the only change done is the
VLAN id value and the IPv4 address and DHCP pool we included all VLANs in annex page
Then we create a DMZ interface that is located on Port 6 of the FortiGate firewall. There is
no DHCP server running on this interface, so the servers connected to it will use static IPv4
addresses. The interface is configured with a DMZ role.

Figure 17 Configuring DMZ interface

As the VLANs are integrated with the port4 which will be a trunk port connected to the core
switch so we have to configure the VLANs in the switch and designate a trunk port using the
IEEE 802.1Q standard.

Figure 18 Core switch VLAN database

20
Once the interfaces are set up, we'll group them into a virtual zone named 'lan' to make them
easier to manage. We block the intra-zone traffic so we can control the traffic via the policies.

Figure 19 Creating lan zone virtual interface

2.2. Configuring the WAN interfaces


Commencing, we configured the WAN interfaces as follows: WAN1 was connected to the
OF link through Port 1, and WAN2 was connected to the VDSL link through Port 2.

Figure 20 Configuring WAN1 and WAN2 interfaces


We can use the CLI also to configure the WAN interfaces

HQ# config system interfaces HQ# config system interfaces


HQ# edit port1 HQ# edit port2
HQ# set type wan HQ# set type wan
HQ# set alias wan1 HQ# set alias wan2
HQ# set allowaccess ping HQ# set allowaccess ping
HQ# set ip 100.10.10.2/24 HQ# set ip 100.20.20.2/24
HQ# end HQ# end

21
2.3. Connecting to Internet through SDWAN
First ZHKDYHWRFUHDWHDQ6':$1]RQHDQGDGG³
as members
to it and we set up the gateways of each wan connection no need to put a cost value as the rules
will decide the priority of each member

Figure 21 Adding WAN1 and WAN2 to SDWAN zone


Then we set up the default static route to forward traffic going to Internet (0.0.0.0/0) to pass
through the SDWAN interface

Figure 22 Default Static Route through SDWAN interface


2.4. Configuring MPLS interface
We use port3 as the MPLS interface, so we set the IPv4 address of 172.17.0.1/30 (/30 prefix
EHFDXVHLW¶VDSRLQW
-to-point connection) the role is set to undefined
And we add the MPLS interface to the SDWAN zone with the corresponding gateway

Figure 23 Configuring MPLS interface and adding it to SDWAN zone

22
3. Configuring Branch Site Router
3.1. Interfaces
Primary, we set up two interfaces of the branch site router: gig1/0 with a private IPv4 address
10.10.0.1/24 as the local interface and gig0/0 with a public IPv4 address 100.30.30.2/24 as the
public interface that will be connected to VDSL modem.

Branch Site# int gig1/0


Branch Site# ip add 10.10.0.1 255.255.255.0
Branch Site# no sh
Branch Site# exit
Branch Site# int gig0/0
Branch Site# ip add 100.30.30.2 255.255.255.0
Branch Site# no sh
Branch Site# exit

Then we set up the MPLS interface as the gig2/0 with an IPv4 address of 172.16.0.2/30
Branch Site# int gig2/0
Branch Site# ip add 172.16.0.2 255.255.255.252
Branch Site# no sh
Branch Site# exit
3.2. Connecting Branch Site to Internet
First, we define the outside interface and the inside interface
● gig1/0: we define it as an inside interface because it is the local sided interface.
● gig0/0: we define it as an outside interface because it is the public sided interface.
int gig1/0 int gig0/0
ip nat inside ip nat outside
exit exit

Then we configure the NAT service in order to enable the translation of source IPv4
addresses when traffic is destined for the public internet (0.0.0.0/0) while preserving the
original source IPv4 address when traffic is destined for the HQ local addresses
(192.168.0.0/18), we created an Access Control List (ACL) named 'nat' for the NAT service.
So as the extended ACL in Cisco routers follow the top-to-bottom priority rule we define
the exception rule on top (id 10) and the general rule on bottom (id 20).
Branch Site# ip access-list extended nat
Branch Site# 10 deny ip 10.10.0.0 0.0.0.255 192.168.0.0 0.0.63.255
Branch Site# 20 permit ip 10.10.0.0 0.0.0.255 any
Branch Site# exit
Note : HQ summery address (192.168.0.0/18) is due to using the super-netting technique on
all of the local subnets in HQ site.

23
and then we activate the NAT translation to use the IPv4 of the outside interface with an
overloading on port numbers
Branch Site# ip nat inside source list nat interface gig1/0 overload

❖ The NAT allows IPv4 address translation and protects the private networks.
3.3. Default Static route
The default route here sends packets when no specific route is in the routing table and since
the internet is a big place (0.0.0.0/0) so internet connectivity will be provided by this route.

Branch Site# ip route 0.0.0.0 0.0.0.0 100.30.30.1

3.4. DHCP server configuration


We will configure a DHCP server to automatically assign IP addresses, default gateway,
and DNS server to clients on the local side of the Branch Site Router.

Branch Site# ip dhcp pool local


Branch Site# network 10.10.0.0 255.255.255.0
Branch Site# dns server 8.8.8.8
Branch Site# default-router 10.10.0.1
Branch Site# exit

4. MPLS circuit
We create an MPLS circuit in a virtual environment GNS3
4.1. MPLS components

Figure 24 MPLS circuit topology

4.2. setting up the circuit


Initial, we are going to address the routers and configure OSPF connectivity between
LER-HQ and LER-BranchSite, we configure the interfaces IPv4 addresses and at the same
time we define an OSPF process with the area 0 as a routing protocol as the MPLS needs IP
connectivity in order to perform the label switching process.

24
LER-HQ: LSR LER-BranchSite
int f0/0 int f0/0 int f0/0
ip add 172.17.0.2 255.255.255.252 ip add 2.2.2.2 255.255.255.252 ip add 2.2.2.1 255.255.255.252
no sh no sh no sh
ip ospf 1 area 0 ip ospf 1 area 0 ip ospf 1 area 0
exit exit exit
int f1/0 int f1/0 int f1/0
ip add 1.1.1.2 255.255.255.252 ip add 1.1.1.1 255.255.255.252 ip add 172.16.0.2 255.255.255.252
no sh no sh no sh
ip ospf 1 area 0 ip ospf 1 area 0 ip ospf 1 area 0
exit exit exit
Then after making sure that all 3 routers established OSPF neighbourhood we execute this
command on all of the 3 routers
router ospf 1
mpls ldp autoconfig

Now the OSPF process will configure LDP protocol on all the interfaces and establish
LDP neighbourhood inside of the circuit.
Here we see the neighbourhood of each router

Figure 25 LDP neighbourhood establishment

25
And to make sure that the MPLS circuit is working we will trace an ICMP packet from
LER-HQ to LER-BranchSite.
It appears that the packet has been transmitted via an MPLS circuit and has been tagged with
label 17.

Figure 26 Trace route test inside the MPLS circuit

4.3. Static Routing configuration


We need to perform static route within the LER routers in order for the MPLS circuits to
know the paths for the HQ site and the Branch site.
ip route 10.10.0.0 255.255.255.0 172.16.0.2
ip route 192.168.0.0 255.255.192.0 172.17.0.1
Now every route to a network within the routing table of both LER-HQ and LER-BranchSite
routers has a label bound to it:

Figure 27 LDP bindings table


5. IPsec VPN tunnels
Note : The parameters configured at both the HQ and branch sites should be the same.
5.1. Branch Site configuration
Phase1: we configure an ISAKMP policy to establish a secure communication channel
between the two devices. we set the hash algorithm to MD5, encryption algorithm DES,
authentication pre-shared key, DH group2 and the lifetime 86400 seconds.

26
Branch Site# crypto isakmp policy1
Branch Site# hash md5
Branch Site# encryption des
Branch Site# authentication pre-share
Branch Site# lifetime 86400
Branch Site# group 2
Branch Site# exit
Branch Site# crypto isakmp key tunnel1 address 100.10.10.2

Phase2: we configure an IPsec transform set for providing confidentiality and integrity to
IP packets using the ESP protocol encryption is DES and hash is MD5, then we create a
phase 2 profile that will use the transform set encryptions and hash as well as DH group2 and
life time is by default 3600s.
Branch Site# crypto ipsec transform-set set1 esp-des esp-md5-hmac
Branch Site# mode tunnel
Branch Site# exit
Branch Site# crypto ipsec profile profile1
Branch Site# set transform-set set1
Branch Site# set pfs group2
Branch Site# exit

VTI: we configure Tunnel1 interface with an IP address and put the source interface
gig0/0, the destination IP address for the tunnel is set to the IPv4 of HQ wan1 port
100.10.10.2. the IPsec profile "profile1" is applied to the tunnel for providing security
services to the traffic.
Branch Site# int tunnel1
Branch Site# ip add 172.16.1.2 255.255.255.252
Branch Site# tunnel source gig0/0
Branch Site# tunnel destination 100.10.10.2
Branch Site# tunnel mode ipsec ipv4
Branch Site# tunnel protection ipsec profile profile1
Branch Site# exit
5.2. HQ configuration
First, we create the custom IPsec tunnel:

Figure 28 VPN creation wizard interface

27
Next, we set the remote gateway to static IPv4 address of the Branch site public interface
100.30.30.2 and the WAN1 as the output interface.

Figure 29 Configuration of remote gateway for VPN tunnel 1


Phase 1: we configure IPsec phase 1 for a VPN tunnel with local interface as Port1, remote
gateway IPv4 address as 100.30.30.2, disabled NAT traversal, and pre-shared key "tunnel1".
Use DES encryption, MD5 hash algorithm, DH group2, and set the lifetime to 86400 seconds.

Figure 30 IPsec VPN phase 1 Configuration

We can also configure phase 1 by CLI

HQ# config vpn ipsec phase1-


interface
HQ# edit "vpn-tunnel1"
HQ# set interface port1
HQ# set remote-gw 100.30.30.2
HQ# set nattraversal disable
HQ# set psksecret tunnel1
HQ# set proposal des-md5
HQ# set dhgrp 2
HQ# set keylife 86400
HQ# end

28
Phase 2: we configure the IPsec phase 2 settings for a VPN tunnel. We use the same
encryption, hash and DH groups as the phase1 except lifetime 3600 seconds.

Figure 31 IPsec VPN phase2 configuration

and phase 2 by CLI HQ# config vpn ipsec phase2-


interface
HQ# edit "vpn-tunnel1"
HQ# set phase1name "vpn-
tunnel1"
HQ# set proposal des-md5
HQ# set keylifeseconds 3600
HQ# set keepalive enable
HQ# set auto-negotiate enable
HQ# set dhgro 2
HQ# end
Virtual interface « vpn-tunnel1 »: we configure the virtual tunnel interface for the "IPsec-
WXQQHOZH¶OODOORZSLQJDFFHVVWRWKHLQW
and set the remote IP address to 172.16.1.2/32.

Figure 32 Configuring vpn-tunnel1 virtual interface

29
5.3. Redundant IP sec tunnel
We have created a redundant VPN tunnel with the same Phase 1 and Phase 2 properties as
a backup for Tunnel 1. The virtual interface for Tunnel 1 is overlayed on WAN 1, while the
virtual interface for Tunnel 2 is overlayed on WAN 2. This provides failover between the two
tunnels in case of a WAN 1 or WAN 2 failure we still have a VPN connection.

5.4. Adding IPsec tunnels to SDWAN zone


As the initial setup action, we configure the VPN members by associating them with
proper gateway IP addresses and VPN tunnel interfaces and assigning them to the SD-WAN
zone

Figure 33 Adding the 2 vpn-tunnel interfaces to SDWAN zone


6. SLAs configurations
6.1. HQ FortiGate SLAs
:H ZLOO FUHDWH WZR 6/$V WR PRQLWRU WKH SHU
SDWAN zone.
Internet SLA will monitor the wan1 and wan2 interfaces by measuring the quality of the
links, it will ping the server 8.8.8.8 the SLA target: Latency threshold of 60ms and 15% packet
loss and select the members are wan1 (id=1) wan2 (id=2).
Branch Site SLA will monitor the MPLS VPN-tunnel1 and VPN-tunnel2 interfaces by
measuring the quality of the links, it will ping the local Branch site interface 10.10.0.1/24 the
SLA target: Latency threshold of 60ms and 15% packet loss and select the members are MPLS
(id=3) VPN-tunnel1 (id=4) VPN-tunnel2 (id=5).

30
Those SLA will be used in the SDWAN rules for QoS traffic management.

Figure 34 Internet SLA and Branch Site SLA creation

we can create those SLAs using the CLI method

HQ# config system sdwan HQ# config system sdwan


HQ# config health-check HQ# config health-check
HQ# edit "Internet SLA" HQ# edit "Branch Site SLA"
HQ# set addr-mode ipv4 HQ# set addr-mode ipv4
HQ# set protocol ping HQ# set protocol ping
HQ# set server 8.8.8.8 HQ# set server 10.10.0.1
HQ# set members 1 2 HQ# set members 3 4 5
HQ# config sla HQ# config sla
HQ# edit 1 HQ# edit 1
HQ# set latency-threshold 60 HQ# set latency-threshold 40
HQ# set packet loss-threshold 15 HQ# set packetloss-threshold 15
HQ# set jitter-threshold 10 HQ# set jitter-threshold 10
HQ# end HQ# end
HQ# set update-static-route disable HQ# set update-static-route disable
HQ# end HQ# end
HQ# end HQ# end

31
6.2. Branch Site Router SLAs
In the Branch Site we will create 4 SLAs to monitor all the interfaces and we will identify them
with the id.
SLA1: it will monitor the access to the MPLS circuit by pinging the HQ FortiGate MPLS
interface 172.16.0.1/30 from the interface gig2/0.
SLA2: it will monitor the access to the VPN-tunnel1 by pinging the 172.16.1.1/30 from the
interface tunnel 1.
SLA3: it will monitor the access to the VPN-tunnel2 by pinging the 172.16.1.1/30 from the
interface tunnel 1.
SLA4: it will monitor the access to the public network by pinging the internet
gateway100.30.30.1 from the public interface gig0/0.
Then we will bind each SLA into a track object that will return an ON/OFF result based on
the results of the SLA, this track will be used to create static routes and enable or disable the
routes automatically.

Branch Site# ip sla 1 Branch Site# ip sla 2


Branch Site# icmp-echo 172.17.0.1 source- Branch Site# icmp-echo 172.16.1.1 source-
interface gig2/0 interface tunnel 1
Branch Site# threshold 60 Branch Site# threshold 60
Branch Site# timeout 1000 Branch Site# timeout 1000
Branch Site# frequency 3 Branch Site# frequency 3
Branch Site# exit Branch Site# exit
Branch Site# ip sla schedule 1 life forever Branch Site# ip sla schedule 2 life forever
start-time now start-time now
Branch Site# track 1 ip sla 1 reachability Branch Site# track 2 ip sla 2reachability
Branch Site# exit Branch Site# exit

Branch Site# ip sla 3 BranchSite# ip sla 4


Branch Site# icmp-echo 172.16.2.1 source- BranchSite# icmp-echo 100.30.30.1
interface tunnel2 source-interface gig0/0
Branch Site# threshold 60 BranchSite# threshold 60
Branch Site# timeout 1000 BranchSite# timeout 1000
Branch Site# frequency 3 BranchSite# frequency 3
Branch Site# exit BranchSite# exit
Branch Site# ip sla schedule 3 life forever BranchSite# ip sla schedule 4 life forever
start-time now start-time now
Branch Site# track 3 ip sla 3 reachability BranchSite# track 4 ip sla 4 reachability
Branch Site# exit BranchSite# exit

32
7. Testing
7.1. Internet SLA graph
Here we can see the Internet SLA graph and performance monitoring we notice that WAN2
has much higher latency than WAN1 this is due to the much higher performance provided by
the OF link in comparison with the VDSL link .

Figure 35 Internet SLA Latency graph


7.2. Branch Site SLA graph
Here we can see the Branch Site SLA graph and performance monitoring we notice that
VPN tunnels has much higher latency than MPLS this is due to the much higher performance
provided by the MPLS circuit.

Figure 36 Branch Site SLA Latency graph

33
7.3. Branch site accessibility to Internet
After pinging google DNS from the router and using a source address of 10.10.0.1/24 we
are now sure that the configuration we did is working.

Figure 37 Branch Site internet connectivity test

Conclusion
After setting up the SDWAN interface and making sure there is connectivity from both
sites to the Internet we now ready to move on to the Filtering the traffic and configuring QoS
Rules.

34
Chapter 4: Security and QoS

Introduction
In this chapter we will perform the necessary security configuration to provide reliable
implementation as well as setting up QoS rules.
1. Address Objects
An address object is used In FortiGate Firewall to map an IPv4 subnet or range into an object
to utilize it in the IPv4 Policies as well as SDWAN rules.
1.1. Trusted lan group
First, we have to create an address object for each local subnet and also for the Branch site
local network.
To create VLAN10 subnet navigate to 'Policy & Objects' > 'Addresses' and create a new
address.

Figure 38 VLAN 10 address object


The same way we also create an address object for each VLAN (from 10 to 40), DMZ
subnet and the Branch Site Local subnet (10.10.0.0/24).
Note :Go to table 2 page 7. all subnets are mentioned there
Then we group the more trustful VLANs (10 to 35) into a group called trusted lan.

Figure 39 trusted local lan address group

35
1.2. P2P address group
We create an address group to hold all point-to point connection IPv4 addresses such as VPN
tunnels and MPLS to make it easier for us to manage them in the Policies and rules
6RZHFUHDWH³03/6QHW´DGGUHVVREMHFWWRK
³931QHW´DGGUHVVREMHFWWRKROGWKH
2.16.1.0/30 addresses
³931QHW´DGGUHVVREMHFWWRKROGWKH
s.

Figure 40 VPN1 net , VPN2 net and MPLS net address objects
7KHQZHJURXSWKHPLQWRDQDGGUHVVJURXSFDO
.

Figure 41 P2P address group


Also, it is possible to create the address and group them using CLI.

HQ# config firewall address HQ# config firewall address


HQ# edit "VPN1 net" HQ# edit "MPLS net"
HQ# set subnet 172.16.1.0/30 HQ# set subnet 172.17.0.0/30
HQ# set allow-routing enable HQ# set allow-routing enable
HQ# end HQ# end

HQ# config firewall addrgrp HQ# config firewall address


HQ# set member "VPN1 net" HQ# edit "VPN2 net"
"VPN2 net" "MPLS net" HQ# set subnet 172.16.2.0/30
HQ# set allow-routing enable HQ# set allow-routing enable
HQ# end HQ# end

36
1.3. Web server virtual IP
To configure port forwarding for the DMZ web server and make it accessible from the public
network, we created a web server virtual IP in the 'Virtual IPs' section of the 'Policy & Objects'
menu. The virtual IP forwards IPv4 address 100.10.10.3 TCP port 80 to 192.168.50.2 port 80,
and we set the WAN1 interface as the entry interface for our web server.

Figure 42 Web Server Port forwarding configuration

2. SDWAN rules for Traffic priority and QoS


As there is so much dependency on the MPLS network and wan1 because of the
performance they provide we have to protect them from stress loads and over traffic, so we
GHFLGHGWRVSOLWWKHWUDIILFLQWRWRZFULWHUL
hronization
and low delay such as VoIP and streaming traffic (Real time traffic) and the unimportant traffic
WKDWZRQ¶WEHERWKHUHGE\KLJKGHOD\VXFKXV
So, we will use the ToS value within the IPv4 datagram as a point of reference in our rules to
differentiate Real Time traffic from none real time traffic.
2.1. Real Time Traffic rule:
Initially, we create two highly optimized SD-WAN rules that prioritize and route Real-
Time Traffic (ToS=0x70) to their destinations, ensuring high-quality connectivity and
optimal network performance. According to the results provided by the SLAs.
The first rule ³
Acces-Branch-site-RealTime-Traf´
routes Real-Time Traffic from trusted
LAN, DMZ and P2P group interfaces to "Branch site" over "MPLS".
7KHVHFRQGUXOH³$FFHVV
-Internet-RealTime-7UDI´URXWHV5HDO
-Time Traffic from trusted
/$19/$1DQG'0=WRDOOGHVWLQDWLRQVRYH

37
Figure 43 Access Branch Site Real Time Traffic Rule

Figure 44 Access Internet Real Time Traffic Rule


Also using CLI we can create those 2 rules.

HQ# config system sdwan HQ# config system sdwan


HQ# config service HQ# config service
HQ# edit 1 HQ# edit 1
HQ# set name "Access-Branch-site-RealTimeTraf" HQ# set name "Access-Internet-RealTimeTraff"
HQ# set mode priority HQ# set mode priority
HQ# set priority-members 3 HQ# set priority-members 1
HQ# set src "trusted lan" ³'0=´ "P2P group" HQ# VHWVUFWUXVWHGODQY
HQ# set dst "Branch site" HQ# set dst all
HQ# set tos 0x70 HQ# set tos 0x70
HQ# set tos-mask 0xf0 HQ# set tos-mask 0xf0
HQ# set health-check "Branch Site SLA" HQ# set health-check "Internet SLA"
HQ# set link-cost-factor "best quality" HQ# set link-cost-factor "best quality"
HQ# end HQ# end
HQ# end HQ# end

38
2.2. None Real Time Traffic
And then, we create two additional SD-WAN rules that prioritize and route non-Real-Time
Traffic (ToS=0x20) to their destinations According to the results provided by the SLAs.
The first rule ³
Acces-Branch-site-NoneRealTime-Traf´
routes non-Real-Time Traffic from
trusted LAN, DMZ DQG33JURXSWRWKH%UDQFKVLWHR
-tunnel1&VPN-tunnel2.
The second rule´$FFHVV
-Internet-NoneRealTime-Traf´prioritizes and routes non-Real-
Time Traffic from trusted LAN, VLAN40, and DMZ interfaces to all destinations over
³:$1´

Figure 45 Access Branch Site None Real Time Traffic Rule

Figure 46 Access Internet None Real Time Traffic Rule

39
2.3. Failover Rules
To SURYLGHIDLORYHUEHWZHHQ³ZDQ´DQG³ZDQ
, we created an ³
Access-Internet
Rule´in the SDWAN rules that uses the Internet SLA. For the Quality of Service (QoS) criteria,
we select Latency, and we set the source address to include ³
DMZ,́ ³
vlan40,́ and the ³W
rusted
lan group".

Figure 47 Access Internet Rule

In order to provide reliable access to a branch site, we configure a an SDWAN rule with a
priority mode and specify the members´931 ´
-WXQQHO´
VPN-WXQQHO´DQG³03/6´
, source
DGGUHVVHV³WUXVWHGORFDOODQ´
, and destination DGGUHVVWR³EUDQFKVLWH´
. We also associate the
rule with a health check ³%UDQFKVLWH6/$´
that monitors the network conditions.

Figure 48 Access Branch Site Rule

40
3. Branch Site Router tracked static routes
3.1. Route to HQ through MPLS
We will configure the static route to HQ site 192.168.0.0/18 to be forwarded through next
hop address of 172.17.0.1 which is the IPv4 address of the MPLS interface of HQ site then
we link this route with the track object 1 which is linked to SLA1.
Branch Site# ip route 192.168.0.0 255.255.192.0 172.17.0.1 track 1

3.2. Route to HQ through VPN tunnels 1&2


We will configure the static route to HQ site 192.168.0.0/18 to be forwarded through next
hop address of 172.16.1.1 which is the IPv4 address of the VPN-tunnel1 interface of HQ site
and also next hop address of 172.16.2.1 which is the IPv4 address of the VPN-tunnel2
interface of HQ site then we link those routes with the track object 2&3 which is linked to
SLA2 & 3.
Branch Site# ip route 192.168.0.0 255.255.192.0 172.16.1.1 track 2
Branch Site# ip route 192.168.0.0 255.255.192.0 172.16.2.1 track 3
3.3. Tracking Default static route
we modify default route with a next hop of 100.30.30.1 and associate it with a track object
4 which is linked to SLA 4.
ip route 0.0.0.0 0.0.0.0 100.30.30.1 track 4

Then, we set up a backup default route with a next hop of 172.17.0.1 (through the MPLS) and
a metric of 2, and associate it with track object 1 If the track object goes down, the
corresponding route is removed from the routing table.
ip route 0.0.0.0 0.0.0.0 172.17.0.1 2 track 1

this way we created an Internet failover path for the Branch Site Router.
3.2. Tracked static routing table

Figure 49 Branch site tracked Static Routing Table

41
4. IPv4 Firewall Policies.
4.1. Intervlan policy
Interlvan SROLF\DOORZVWKH9/$1VWRFRPPXQLFDWH
be isolated as it is for Guests Navigate to Policy & object>Firewall policy.
So, we allow 9/$1VWRFRPPXQLFDWHZLWKHDFKRWKHU¶V
. No NAT
is needed and no security profiles is used as the traffic is local.

Figure 50 Firewall policy intervlan


4.2. Access internet policy
To filter traffic using security profiles and enable the local network to connect to the internet
via the SDWAN interface, we created an internet access policy that will accept the traffic going
through the SDWAN LQWHUIDFHIURPWKHWUXVWHGORFDO³O
´
³'0=³DQG³9/$1´
we
use security profiles as well as NAT in order to provide additional layers of security on to the
traffic.

Figure 51 Firewall policy Internet access

42
4.3. Branch site traffic
To enable communication to the branch site, we set up a firewall policy that allows traffic
to flow from local HQ site site to the Branch site. we enable the policy and configure the out
coming and incoming interfaces as ³O
DQ³
and ³6'
-:$1´
. No NAT or security profiles is
needed as the traffic is flowing through trusted connections (VPNs and MPLS).

Figure 52 Firewall policy to branch site


Here, we define a firewall policy that allows traffic to flow from the branch site to the
trusted LAN. we enable the policy and configure the out coming and incoming interfaces as
³
SDWAN´and ³ODQ´
. No NAT or security profiles is needed as the traffic is flowing through
trusted connections (VPNs and MPLS).

Figure 53 Firewall policy from branch site

43
4.4. Access DMZ web server firewall policy
This policy will allow the incoming traffic from SDWAN to our web server to pass allowing
only HTTP and HTTPS traffic. The source address is all and destination is the virtual IP we
created for the web server:HGRQ¶WXVH1$7LQWKHSROLF\
NAT, we use security profiles to guarantee a level of security inspection.

Figure 54 Firewall policy from internet to DMZ web server

4.5. Branch-site access internet Policy


At last, we create a firewall policy that allows any traffic from the "branch site" and "MPLS
net" source addresses to the internet through the SDWAN interface using NAT and security
profiles, this policy will allow the branch site to have a backup way to access the Internet
through the MPLS.

Figure 55 Firewall policy branch site access internet


44
4.6. Firewall policies summery table
Firewall IPv4 Policies exported as CSV format and organized in a table
Name Source Destination Schedule Service Action NAT
Security Log
Profiles
intervlan trusted trusted always ALL ACCEPT Disabled no- UTM
local local lan inspection
lan DMZ
DMZ
to DMZ branch site always ALL ACCEPT Disabled certificate- All
branch P2P P2P group inspection
site group
trusted
local
lan
from branch DMZ P2P always ALL ACCEPT Disabled certificate- All
branch site group inspection
site P2P trusted
group local lan
internet DMZ all always ALL ACCEPT Enabled default UTM
access vlan40 default
trusted default
local default
lan certificate-
inspection

from all web server always ALL ACCEPT Disabled default All
internet default
to dmz default
web default
server certificate-
inspection

branch- branch all always ALL ACCEPT Enabled default UTM


site site default
access MPLS default
internet net default
certificate-
inspection

Table 4 Firewall policies exported

45
5. Security feature: guest web portal authentication
For the guest vlan (vlan40) users should ask permission when they want to access internet
using the security mode: captive portal within the vlan40 interface which will ask the user for
a password when the want to surf the web. The password and username are pre-built in the
FortiGate users database as guest group.

Figure 56 Guests web portal


6. Testing
6.1. SDWAN rules Decisions
Here we can see the chosen interface based on the Latency criteria of each SDWAN rule
The rules are organized from the most precise rule to the least.

Figure 57 All SDWAN rules overview

46
6.2. HQ internet failover
To test SDWAN internet failover, we sent a stream of ICMP packets from a PC in VLAN10
to Google DNS 8.8.8.8 while disconnecting the WAN1 link. Two packets were lost, but
connectivity was later restored through WAN2, causing a change in latency.

Figure 58 HQ internet failover test

6.3 Branch Site Internet failover


Then, in the branch site local network, we send a stream of ICMP packets to google DNS
8.8.8.8 and then we disconnect the Internet link notice that after dropping 4 packets the
connectivity is restored through the MPLS network.

Figure 59 Branch site internet failover test


6.4. Testing Connectivity between sites and failover
In the same way we test the failover from Branch site to HQ as well as from HQ to Branch
Site we disconnect first the MPLS circuit so the SDWAN will switch to VPN1 as it has the
lowest latency then we also disconnect the VPN1 so the SDWAN will switch to VPN2.

47
notice that there are 2 breaks in the connectivity.

Figure 60 Connectivity between sites and failover test


6.5. Testing DMZ configuration
Here We create a small web server using the toolbox Docker container and hosted a small
web page inside the server (HTML code is included in annex).
We will try to reach the web page by its public IPv4 address 100.10.10.3 from a virtual PC
outside the local network.
But if we try to ping that address, we get no response this is due to the policy we made, it allows
only HTTP and HTTPS traffic to enter.

Figure 61 web server reachability test

48
6.6. QoS traffic testing
Next, we test the QoS rules by trace routing some packets that we modified the ToS value
accordingly to match the VoIP traffic value (ToS = 0x70) and the mail and web value (ToS=
0x20).
Test 1 ToS = 0x70 traffic is passing by wan1(100.10.10.1) and by MPLS (172.17.0.2)

Figure 62 Real time traffic test


Test 2 ToS = 0x20 traffic is passing by wan2(100.20.20.1) and by VPN1(172.16.1.2).

Figure 63 None Real time traffic test

And in this graph, we can see the impact of those rules on the average latency during 24h

Performence Comparaison for 24 hours


Before SDWAN After SDWAN Acceptable latency

130 Stress time


120
110
AVERAGE LATENCY IN MS

100
90
80
70
60
50
40
30

TIME

Figure 64 Performance comparison graph

49
6.5. Testing guests web portal and reachability
Eventually, in order for the guest device to connect to public network an authentication is
required.

Figure 65 Guest authentication portal test

Also, we try to ping the VLAN10 interface from a guest device but no packet received this is
due to the Intervlan policy we made that prevent VLAN40 from reaching other VLANs

Figure 66 Guests reachability test

Conclusion
In conclusion, through the successful configuration of the network infrastructure, we are
now able to provide reliable and secure access to the internet and connectivity between the two
sites through the SDWAN using MPLS and IPsec VPN tunnels and providing a QoS traffic
split over.

50
General Conclusion

our team has successfully implemented a robust and reliable network infrastructure that meets
the needs of our organization. With the use of SD-WAN, MPLS circuits, and IPsec VPN
tunnels, we have significantly improved connectivity between our HQ and branch sites.
Moreover, the application of Quality of Service (QoS) rules has improved our network
infrastructure to better fulfill the organization's requirements.
One of the key features of our network infrastructure is the implementation of Fortinet's
FortiGate Next-Generation Firewall. This has significantly enhanced our security posture and
has allowed us to better protect our data and network from potential threats. With the use of
FortiGate, we have been able to implement advanced threat protection, secure connectivity,
and simplified management, which has resulted in improved security and reduced risk for our
organization.
From a strategic perspective, our network infrastructure has provided us with a strong
foundation to support our organization's growth and expansion plans. With the ability to easily
scale and adapt to new business requirements, we are confident that our network infrastructure
will continue to support our organization's success in the long term.
Overall, our project has enabled the company to improve its network performance, increase
security, and reduce costs. We are proud of the work we accomplished as a team and confident
that our work will have a positive impact on the company's productivity and success, both in
the short and long term.

51
References

[1] Cisco Catalyst 2960 Series Switches. Electronic book, Author Cisco , edited on
January 8, 2014
[2] https://www.cisco.com/c/en/us/products/collateral/routers/1900-series-integrated-
services-routers-isr/data_sheet_c78-598389.html , web page consulted on February
14, 2023
[3] https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/257828/sd-
wan-components-and-design-principles , web page consulted on February 29, 2023
[4] QuickStart Guide FortiGate/FortiWiFi 40F & 60F Series , Electronic book ,author
Fortinet edited on December 1, 2022
[5] https://asifulhaque.com/scrum-methodology-understanding-the-process-of-agile-
software-development/ , web page consulted on March 19, 2023
[6] http://igm.univ-mlv.fr/~dr/XPOSE2006/marot/architecture.html , web page consulted
on April 18, 2023
[7] https://www.sotetel.tn/fr/sotetel/a-propos/ , web page consulted on February 11, 2023
[8] https://www.paloaltonetworks.com/cyberpedia/mpls-what-is-multiprotocol-label-
switching , web page consulted on March 23, 2023
[9] https://docs.vmware.com/ , web page consulted on February 17, 2023
[10] https://docs.gns3.com/ , web page consulted on February 18, 2023
[11] https://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7, web page 28
April 2023
Annex

A1- this is the HTML code for the web page we tested connectivity with

<!DOCTYPE html>
<html>
<head>
<title>sotetel</title>
</head>
<body style="background-color: #003c4f; color: white;">
<table border="0" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="text-align: center;"></td>
</tr>
<tr>
<td>
<h1 style="text-align: center;">SOTETEL</h1>
</td>
</tr>
<tr>
<td>
</td>
</tr>
</tbody>
</table>
</body>
</html>

A2-Guest user in HQ FortiGate


<!DOCTYPE html>
<html>
<head>
<title>sotetel</title>
</head>
<body style="background-color: #003c4f; color: white;">
<table border="0" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="text-align: center;"></td>
</tr>
<tr>
<td>
<h1 style="text-align: center;">SOTETEL</h1>
</td>
</tr>
<tr>
<td>
</td>
</tr>
</tbody>
</table>
</body>
</html>
A3-FortiGate 60F specifications

A4- FortiGate 60F dashboard


A5-VLAN interfaces

A6-Creating VLAN interface using CLI

HQ# config system interfaces HQ# config system dhcp server


HQ# edit vlan10 HQ# edit 2
HQ# set alias vlan10 HQ# set dns-service default
HQ# set type vlan HQ# set default-gateway192.168.10.1
HQ# set vlanid 10 HQ# set netmask 255.255.255.0
HQ# set vdom root HQ# set interface vlan10
HQ# set interface port4 HQ# config ip-range
HQ# set allow-access ping http https ssh HQ# edit1
HQ# set ip 192.168.10.1/24 HQ# set start-ip 192.168.10.2
end HQ# set end-ip 192.168.10.254
HQ# end
HQ# end
HQ# config system interfaces
HQ# edit vlan10 HQ# config system dhcp server
A7-
HQ#Branch Router
set alias vlan10IPsec Tunnel phase1 and phase 2HQ# edit 2
HQ# set type vlan HQ# set dns-service default
HQ# set vlanid 10 HQ# set default-gateway192.168.10.1
HQ# set vdom root HQ# set netmask 255.255.255.0
HQ# set interface port4 HQ# set interface vlan10
HQ# set allow-access ping http https ssh HQ# config ip-range
HQ# set ip 192.168.10.1/24 HQ# edit1
end HQ# set start-ip 192.168.10.2
HQ# set end-ip 192.168.10.254
HQ# end
HQ# end
A8-Creating Firewall policies using CLI

HQ# config firewall policy HQ# config firewall policy


HQ# edit 1 HQ# edit 4
HQ# set name "intervlan" HQ# set name "access internet"
HQ# set status enable HQ# set status enable
HQ# set srcintf lan HQ# set srcintf lan
HQ# set dstintf lan HQ# set dstintf SDWAN
HQ# set srcaddr "trusted lan" "dmz" HQ# set srcaddr "trusted lan" "vlan40" "dmz"
HQ# set dstaddr "trusted lan" "dmz" HQ# set dstaddr all
HQ# set service ALL HQ# set service ALL
HQ# set schedule always HQ# set schedule always
HQ# set action accept HQ# set action accept
HQ# set nat disable HQ# set nat enable
HQ# end HQ# end

HQ# config firewall


HQ# config firewall policy
policy HQ#
HQ# config
config firewall
firewall policy
policy
HQ# edit 3
HQ# edit 1 HQ# edit
HQ# edit 4 2
HQ# set name "intervlan"
"to branch site" HQ#
HQ# set set
namename "frominternet"
"access branch site"
HQ# set status enable HQ# set status enable
HQ# set status enable
HQ# set srcintf lan HQ#
HQ# set set srcintf
srcintf lan SDWAN
HQ# set dstintf lan
SDWAN HQ# set dstintf
HQ# set dstintf SDWANlan
HQ# HQ#
set set srcaddr "branch
lan"site" "P2P group"
HQ# set
set srcaddr
srcaddr "trusted
"trusted lan"
lan" "dmz" HQ# srcaddr "trusted "vlan40" "dmz"
HQ# HQ# set dstaddr "trusted lan"
HQ# set
set dstaddr
dstaddr "trusted
"branch lan"
site" "dmz"
"P2P group" HQ# set dstaddr all
HQ# set service ALL HQ#
HQ# set set service
service ALL ALL
HQ# set service ALL HQ# set schedule always
HQ# set schedule always HQ# set schedule always
HQ# set schedule always HQ# set action accept
HQ# set action accept HQ# set action accept
HQ# set action accept HQ#
HQ# set nat disable HQ# set set
nat nat disable
enable
HQ# set nat disable HQ#
HQ# end HQ# endend
HQ# end
HQ# config firewall policy
HQ# config firewall policy HQ# config firewall policy HQ# edit 2
HQ# edit 5 HQ# set name "from branch site"
HQ# edit 3
HQ# set name "branch site access internet"
HQ# set status enable
HQ# set name "to branch site" HQ# set status enable
HQ# set status enable HQ# set srcintf SDWAN
HQ# set srcintf SDWAN HQ# set dstintf lan
HQ# set srcintf lan HQ# set dstintf SDWAN HQ# set srcaddr "branch site" "P2P group"
HQ# set dstintf SDWAN HQ# VHWVUFDGGUEUDQFKVLWH³03/6Q
HQ# set dstaddr "trusted lan"
HQ# set srcaddr "trusted lan" HQ# set dstaddr all
HQ# set service ALL
HQ# set dstaddr "branch site" "P2P
HQ# group"
set service ALL HQ# set schedule always
HQ# set service ALL HQ# set schedule always HQ# set action accept
HQ# set schedule always HQ# set action accept HQ# set nat disable
HQ# set action accept HQ# set nat enable HQ# end
HQ# set nat disable HQ# end
HQ# end
HQ# config firewall policy
HQ# edit 5
HQ# set name "branch site access internet"
HQ# set status enable
HQ# set srcintf SDWAN
A9-Redundunt VPN tunnel creation

HQ# config vpn ipsec phase1- HQ# config vpn ipsec phase2-
interface interface
HQ# edit "vpn-tunnel2" HQ# edit "vpn-tunnel2"
HQ# set interface port2 HQ# set phase1name "vpn-
HQ# set remote-gw 100.30.30.2 tunnel2"
HQ# set nattraversal disable HQ# set proposal des-md5
HQ# set psksecret tunnel2 HQ# set keylifeseconds 3600
HQ# set proposal des-md5 HQ# set keepalive enable
HQ# set dhgrp 2 HQ# set auto-negotiate enable
HQ# set keylife 86400 HQ# set dhgro 2
HQ# end HQ# end

HQ# config vpn ipsec phase1- HQ# config vpn ipsec phase2-
interface interface
HQ# edit "vpn-tunnel2" HQ# edit "vpn-tunnel2"
HQ# set interface port2 HQ# set phase1name "vpn-
HQ# set remote-gw 100.30.30.2 tunnel2"
HQ# set nattraversal disable HQ# set proposal des-md5
HQ# set psksecret tunnel2 HQ# set keylifeseconds 3600
HQ# set proposal des-md5 HQ# set keepalive enable
HQ# set dhgrp 2 HQ# set auto-negotiate enable
HQ# set keylife 86400 HQ# set dhgro 2
HQ# end HQ# end

You might also like