SD-WAN Basics Explained

Nov 29, 2023 | Elden Quesinberry

SD-WAN Has Become A Buzzword

Who’s not being bombarded with emails and ads claiming their SD-WAN solution will make your life easier by making your wide-area network less expensive and simpler to manage? It can, but buyer beware. SD-WAN stands for Software-Defined Wide-Area Networking. Let’s dive into some history and challenges of traditional WAN architecture to understand better how SD-WAN can help.

That Seventies Show

I come from the old school stock of network engineers where WAN design included determining circuit type & bandwidth requirements, contracting with a provider to order, working with the provider to test & turn up, and implementing complex WAN protocols for routing. You accomplished that, and now you want another carrier path for diversity? You’re back to square one for the redundant circuits, plus you need to design & configure auto-failover. Do you need a high-level visibility of what’s happening? Add another bolt-on product. Current SD-WAN solutions do indeed improve this old-school design. 

Historical WAN Challenges

Many traditional WAN designs involved a hub-and-spoke architecture where all remote site (spoke) traffic was back-hauled to a central data center location (hub). This was acceptable since users accessed resources that resided in the central data center(s) historically. In today’s world, organizations have moved resources to the cloud and may also be running 3rd party cloud/SaaS applications. While there were some benefits to the hub-and-spoke design, such as central security controls within the hub, the time delays of backhauling traffic created application performance issues and poor user experience. Imagine a remote user in a California office running SaaS applications such as Office 365 and/or cloud CRM/ERP applications for most of their day. In the hub-and-spoke design, their traffic would have to be back-hauled to the East Coast data center and run through security checks such as IPS & web filtering before being routed out of the data center in the East to the destination target in the cloud. The return path was also back through the data center and to the remote site. The SaaS applications the user was running might even be located in a West Coast data center the next town over!!! 

Interim Fixes For The Backhaul Issue

In years past, network engineers found that, by installing an Internet circuit at each remote location in addition to their existing connection back to the data center, they could allow cloud-based application traffic to exit directly from the remote site. While this solved potential backhaul & latency issues, it didn’t please their co-workers in IT security. In most instances, the organization had to purchase and install a firewall at the remote location for data protection and inspection in addition to the circuit termination device, typically a router. 

So the remote office firewall was installed – problem solved? Not exactly. Not only did organizations now have the expense of multiple network devices (including licensing & support) in each remote office, but the network & security teams also had the challenge of managing these devices since there were often no central tools. It is manageable with 10 locations, but what happens when growth goes to 100 or 1,000 locations?

SD-WAN Technology To The Rescue

Current SD-WAN technology solves the previously mentioned challenges.

A solid SD-WAN design should:

  • eliminate the need for a rigid hub-and-spoke WAN topology
  • improve user experience by allowing direct access to cloud resources
  • provide local security controls and policies
  • provide central network & security management
  • provide WAN redundancy & failover
  • have as few network and security devices as possible

A simple SD-WAN topology is depicted below. Users in the remote branch offices can directly access their SaaS & cloud applications, such as Office 365 and SAP using the local Internet connection without traversing the MPLS circuit to the data center. This reduces bandwidth requirements for the MPLS circuit back to the data center, and in many cases, the costly MPLS circuit could be eliminated.

A diagram of a network

Description automatically generated

Today’s SD-WAN Technology

In SD-WAN’s simplest form, there are two main components: the underlay and the overlay.


A network underlay is the physical infrastructure that transports data, typically WAN circuits. The network underlay can be in various media forms such as Ethernet, cellular, wireless, etc. The underlay would include an MPLS, Dedicated Internet Access (DIA), private wireless circuits, and 4G/5G cellular connections. Combine two or more of these circuits for diversity, and you have your underlay.


Using the concept of virtualization, the network overlay is software that creates a logical layer built on the physical underlay infrastructure. The overlay creates virtual network connections that span multiple physical underlay circuits.

What makes Fortinet’s SD-WAN unique?

Fortinet’s SD-WAN is a comprehensive solution that offers advanced security features and high performance, making it stand out from other SD-WAN solutions. Here are some key features that make Fortinet’s SD-WAN unique:

1. Integrated Security: 

Fortinet’s SD-WAN includes a range of security features such as Next-Generation Firewall (NGFW), Secure Web Gateway (SWG), Intrusion Prevention System (IPS), and Advanced Threat Protection (ATP). These features protect against threats like malware, ransomware, and other cyberattacks. All the features above come in a single Unified Threat Protection (UTP) product package – no additional features to purchase or license.

2. High Performance: 

Fortinet’s SD-WAN solution is designed to provide high performance even in the most demanding environments. It can handle large amounts of traffic and support multiple WAN links for maximum uptime and path redundancy.

3. Easy to Deploy and Manage: 

Fortinet’s solution is easy to deploy and manage with centralized management and configuration through Fortinet’s FortiManager and FortiAnalyzer platforms. This reduces the time and effort required to set up and maintain the SD-WAN solution.

4. Cloud Connectivity: 

Fortinet’s SD-WAN provides seamless integration with cloud services, allowing organizations to connect their on-premises infrastructure with SaaS applications & cloud resources. This makes it easier to migrate applications and workloads to the cloud.

5. Cost-effective: 

Fortinet’s SD-WAN is cost-effective compared to traditional WAN solutions. How much is the SD-WAN license, you ask? Nothing – it’s already included in the base UTP bundle! In addition to allowing organizations to reduce the cost of WAN connectivity by leveraging low-cost internet links and potentially eliminating expensive MPLS circuits, the Fortinet solution can replace your organization’s multiple network devices such as a separate firewall/router and separate SD-WAN appliance at each site.

Want To Learn More About Fortinet SD-WAN and Zero Trust?

Make a free call to Layer8 – it’s that easy. We’ve been a Fortinet partner for over 15 years, have achieved the highest Expert Partner level, and have been awarded Fortinet’s SD-WAN Specialization certification. Contact us today for a free consultation to see if your organization can save money while providing your users with a better experience. Stay tuned; we’ll write more on ZTNA in the coming weeks.