In my last SD-WAN Basics Explained blog post, I mentioned some historical WAN challenges and associated fixes from “back in the old days.” Also included were challenges along with what makes Fortinet’s SD-WAN solution unique. I’d like to start this blog by reviewing the Fortinet SD-WAN solution and by adding some additional info on SD-WAN benefits and feature updates. After that, we’ll move on to a more in-depth discussion of the SD-WAN components and underlying technologies. Our next SD-WAN blog will be written by one of our Senior Consultants here at Layer8 for a technical deep dive into practical applications and configuration nuggets.
Fortinet’s SD-WAN is a comprehensive solution that offers advanced security features, physical medium/circuit redundancy, along with high performance, making it stand out from other SD-WAN solutions. Here are some key features that make Fortinet’s SD-WAN unique:
Fortinet’s SD-WAN includes a range of security features, such as a Next-Generation Firewall (NGFW), Intrusion Prevention System (IPS), web filtering, and Advanced Threat Protection (ATP). These features protect against threats like malware, ransomware, and other cyber-related attacks. All the features above come in a single bundled Unified Threat Protection (UTP) security services package – no additional features to purchase or license. Configure wired and wireless network segmentation (a hot cyber insurance topic) while you’re at it – again, at no additional cost.
We’ve been doing circuit redundancy for years, so what’s the big deal you ask? What if you could have 2 or 3 circuits configured as a logical bundle yet direct traffic to a particular physical circuit based on application or traffic type with failover? Not impressed? What if you could configure health checks based on latency, packet loss, jitter, etc., to automatically steer traffic should a pre-configured threshold be reached? Still need more to win you over? How about doing all the above and being able to rate-limit the traffic on a given path even while using a basic configuration of static default routes? Now we’re cooking!
Fortinet’s SD-WAN solution is designed to provide high performance even in the most demanding environments. It can handle large amounts of traffic and support multiple WAN links for maximum uptime and path redundancy. The heart of Fortinet’s SD-WAN solution is the FortiGate firewall. In appliance form, it contains purpose-built ASIC chips designed to offload CPU cycles from the main processor. FortiGate firewalls have been Fortinet’s flagship product for over 20 years and are currently the most widely deployed firewall on the global market.
Fortinet’s solution is easy to deploy and manage. You can start with a basic SD-WAN configuration with static routes in a single location and progress to multiple locations. Centralized management and configuration can be added using the FortiManager platform to reduce the time and effort required to set up and maintain the SD-WAN environments while utilizing a single-pane-of-glass interface. For additional remote sites and/or if spoke-to-spoke communication is required, dynamic routing can be added.
Fortinet’s SD-WAN provides seamless integration with cloud services, allowing organizations to connect their on-premises infrastructure with SaaS applications & cloud resources. This makes it easier to migrate applications and workloads to the cloud. The Fortinet SD-WAN design allows easy integration into Zero Trust Network Access (ZTNA) and/or Fortinet’s single-vendor Secure Access Service Edge (SASE). A headquarters or hub FortiGate can now be connected & integrated into the SASE cloud.
Fortinet’s SD-WAN is cost-effective compared to traditional WAN solutions. How much is the SD-WAN license, you ask? Nothing – it’s already included in the base firmware of the FortiGate! How much to integrate the FortiGate into an existing FortiSASE cloud? Same answer – no additional cost. In addition to allowing organizations to reduce the cost of WAN connectivity by leveraging lower-cost broadband internet/cellular connections and potentially eliminating expensive MPLS circuits, the Fortinet solution can replace your organization’s existing multiple vendor network devices such as a separate router, firewall, and SD-WAN appliance at each site. I didn’t even mention the simplicity of management for additional cost savings!
Fortinet’s SD-WAN solution is built on five critical pillars that ensure robust, secure, and efficient network performance:
As seen in the graphic above, the first four pillars—Underlay, Overlay, Routing, and Security—combine to create and secure all available paths to all potential destinations. Note that nothing in these first four pillars determines where the various traffic types will flow. The configuration of these four pillars does not change during the network’s regular operation.
How does this work, you ask? It uses two main dynamic technologies: good old BGP routing and optional dial-up or auto-discovery VPN tunnels, known as ADVPN in FortiSpeak. For basic hub-and-spoke network topologies where the spoke sites do not need to communicate with each other directly, ADVPN is not needed but can be added later once spoke sites do need to communicate with each other without going through a hub site.
The fifth pillar (SD-WAN) provides the intelligence to decide which circuit path will be selected when and for which application. This SD-WAN pillar is made up of administratively configured rules and dynamically measured metrics (health checks). Let’s dive into a little background on each of the five pillars.
For those of you seasoned network folk, the underlay is simply the WAN & LAN network. For the WAN, the underlay can be a combination of various circuit types from DIA (Dedicated Internet Access), and private connections such as MPLS, cellular/LTE, etc. A recent 300+ site SD-WAN deployment that Layer8 designed and implemented had one of each of the circuit types above for a total of three paths. The beauty of the overall design is the MPLS circuit (or any of the other circuits) can be swapped out for a lower cost or higher bandwidth circuit at any time, depending on requirements, with very little configuration change. We’ve even built SD-WAN configurations for clients where there is only a single circuit today, but the client is in the process of adding a secondary WAN connection. Add the new interface into the pre-configured SD-WAN zone, and off they go. Other standard network technologies include DHCP for the WAN & LAN, link-aggregation on the LAN, etc. The FortiGate is ideally suited to handle this pillar due to the speed of the device, the number of available interfaces, DHCP/DNS services, etc.
This pillar is a logical layer built on top of the Underlay pillar. It consists of virtual connections, most typically a VPN tunnel in a hub-and-spoke topology. While smaller networks can use nailed-up site-to-site IPSec tunnels, this becomes an administrative burden should the network and the number of sites grow. For anything more than a small deployment, Layer8 would recommend using Fortinet’s Auto-Discovery VPN (ADVPN) technology. ADVPN can dynamically build “dial-up” VPN tunnels, which make larger SD-WAN deployments more scalable, especially if spoke-to-spoke communication is required. Site-to-site auto-tunneling is not a requirement on day 1 of ADVPN. Dynamic hub tunnels can be utilized, and site-to-site ADVPN functionality can be added at a later date if desired.
Fortinet’s SD-WAN relies on Border Gateway Protocol (BGP), a dynamic routing protocol that’s been in use for over 30 years. While conventional firewall and router configurations use BGP to route or steer traffic over multiple paths using a variety of metrics, it is used in Fortinet’s SD-WAN design to learn about all available paths to all destinations simply. The SD-WAN pillar is the component that actually directs & steers the traffic based on health checks and SD-WAN policy rules.
With traditional firewalls and routers, security inspection and traffic management were performed at the interface ingress/egress points. The FortiGate uses SD-WAN zones, which are interfaces logically configured into a group, and a security policy applied to the group. It is a best practice to limit and secure traffic at its origin versus the central hub site. Why allow undesirable or unsecured spoke-to-hub traffic to consume valuable WAN bandwidth? Blocking traffic at the spoke is also critical if spoke-to-spoke communication is permitted. Also, by using SD-WAN zones, policy creep is avoided, and growth is better scaled.
The SD-WAN pillar is where the magic happens. As previously mentioned, this pillar is a combination of health monitoring and configured traffic policy designed to steer application traffic out of the various SD-WAN overlays or underlays. The health monitors can be configured to constantly check measurable categories such as probe reachability, SLA targets, protocol, and link status. On top of that, SD-WAN rules can be configured to steer selected application traffic of your choice out of a given physical interface or load-balanced across multiple interfaces.
The Fortinet SD-WAN solution is practical for several reasons:
Rob Hutter, one of our Senior Consultants, will discuss best practice configurations for a Fortinet SD-WAN design, offer helpful tips, and explain how to avoid common mistakes. Rob has designed and implemented several Fortinet SD-WAN solutions. Follow us on LinkedIn and stay tuned for more!!!