Technical Deep Dive on Fortinet SD-WAN Design

Jan 3, 2025 | Rob Hutter

Deploying Fortinet SD-WAN can transform your network, but it’s critical to get the design right from the outset. Much like revisiting a home improvement project, IT deployments often reveal lessons you’d apply if you had a second chance. Layer8 Consulting has created this guide to provide advanced considerations to future-proof your Fortinet SD-WAN deployment, ensuring scalability, adaptability, and optimal performance for unexpected challenges. This article will build on our previous posts SD-WAN Basics Explained, and A Manufacturers Look: Exploring the Advantages of a Fortinet SD-WAN.

Firewall Interface and SD-WAN Zones

Interface zones are logical groups that contain one or more firewall interfaces. While it may sometimes seem unnecessary, using firewall interface zones in security policies significantly improves flexibility for future changes, even if the zone only contains one interface. For example, adding a new VLAN on the LAN or changing out WAN links because of a new ISP becomes much easier with zones in place.

Like traditional firewall interface zones, FortiGate firewalls offer the ability to create SD-WAN zones. These can be used as containers for similar interfaces (underlays or overlays), or they can be used to organize SD-WAN links in any other way that makes sense to the deployment.

Best Practices for Interface Zones:

  • Standardize Naming Conventions: Use clear, intuitive zone names (e.g., WAN_Zone1, LAN_Prod) to reduce confusion and simplify troubleshooting.
  • Group Similar Links: When creating SD-WAN zones, consider logical groupings, such as underlays, overlays, or link types. This enhances visibility and simplifies rule creation.
  • Separate Traffic Types: For multi-tenant environments or strict security requirements, segment zones by application type, such as guest traffic, VoIP, or business-critical apps.

Pro Tip: Use zones along with SD-WAN rules for specialized traffic flows. This can simplify configurations when you need to prioritize applications, such as video conferencing, over general traffic.

Service Level Agreements (SLAs)

SLAs are the health checks used by the FortiGate firewall to choose the most preferred SD-WAN member based on passing certain measured criteria. A few of the most common criteria used are ping response, latency, and jitter (although there are additional advanced criteria). Passing one or more SLA can allow the SD-WAN engine to select a customarily preferred interface or exclude an interface from load balanced path strategy.

Tips for Setting Up SLAs:

  1. Start Simple: Begin with basic SLAs (e.g., ping latency) and refine them after collecting real-world data.
  2. Plan for Failover Behavior: Be mindful of scenarios where all SLA tests fail, but links are not fully down—FortiGate may still route traffic through the “least bad” link unless configured otherwise. This can be a confusing point if the desire is to have the traffic skip down to a subsequent SD-WAN rule.

In a general sense, Fortinet SD-WAN is like dynamic policy-based routing. Perform a policy route so long as a condition or conditions are met.

Routing

Any SD-WAN project will require a decision on routing strategy. For smaller or simpler deployments, static routing is perfectly acceptable for larger enterprises or ones with numerous non-contiguous subnets; a dynamic routing protocol should be considered. FortiGate supports vendor-neutral protocols such as BGP and OSPF, with BGP being the preferred protocol for SD-WAN routing. For more advanced configurations BGP can be coupled with ADVPN and SD-WAN to allow for spoke-to-spoke shortcuts, self-healing of problematic circuits, as well as the use of BGP communities and route tagging for advanced path selection.

Pro Tip: If you use a mix of MPLS and broadband links, create a hybrid routing strategy that dynamically shifts traffic based on link quality or business needs.

SD-WAN Rules

SD-WAN rules dictate how traffic is routed, and their top-down evaluation makes proper rule hierarchy crucial.

Rule Configuration Tips:

  1. Prioritize Specificity: Place more specific rules, like application-based policies, above general ones.
  2. Use Predefined Internet Services: FortiGate includes pre-built services for applications like Office 365 and Zoom, which saves time and ensures accurate routing.
  3. Available routes: You can use route-tagged networks learned via BGP communities in your rules.
  4. Consider Cost-Saving Policies: Direct non-critical traffic, such as guest or IoT data, through cost-effective broadband links while reserving premium bandwidth for business-critical applications.

Advanced Tip:

  • Use Inferior Routes for Better Control: You can select a learned route with an inferior administrative distance instead of one existing in the routing table. If this is done make sure it meets the business or technical requirement at hand.

FortiManager

For designs featuring numerous FortiGate firewalls, FortiManager can be a force multiplier in deploying and maintaining the solution. This out-of-band management server (deployed as an on-premises VM, private cloud VM, or Fortinet SaaS solution) has built-in components for creating, deploying, and maintaining an SD-WAN solution.

Key Features to Leverage:

  • Template-Based Deployment: Reduce deployment time and enforce consistency across multiple locations.
  • Historical SLA Data Retention: Analyze long-term trends to optimize SLAs and troubleshoot recurring issues.
  • SD-WAN Monitor Map: Use this dashboard feature to monitor performance and identify potential bottlenecks before they impact operations.

Pro Tip: Use FortiManager’s SD-WAN Table View feature to provide a quick snapshot of link performance across all devices. Hovering over a given performance SLA, you can see more granular detail about how that SLA is performing according to its configuration.

Would Fortinet’s SD-WAN solution benefit your organization?

At Layer8, we’ve successfully designed and deployed SD-WAN solutions ranging from straightforward setups to complex, multi-site configurations for businesses like a 200-location retail operation. If you’re ready to explore how Fortinet SD-WAN can enhance your network, our engineers are here to help.

Contact us today for a free consultation, and let’s discuss how to make your network more intelligent, faster, and more resilient.