Deploying Fortinet SD-WAN can transform your network, but it’s critical to get the design right from the outset. Much like revisiting a home improvement project, IT deployments often reveal lessons you’d apply if you had a second chance. Layer8 Consulting has created this guide to provide advanced considerations to future-proof your Fortinet SD-WAN deployment, ensuring scalability, adaptability, and optimal performance for unexpected challenges. This article will build on our previous posts SD-WAN Basics Explained, and A Manufacturers Look: Exploring the Advantages of a Fortinet SD-WAN.
Interface zones are logical groups that contain one or more firewall interfaces. While it may sometimes seem unnecessary, using firewall interface zones in security policies significantly improves flexibility for future changes, even if the zone only contains one interface. For example, adding a new VLAN on the LAN or changing out WAN links because of a new ISP becomes much easier with zones in place.
Like traditional firewall interface zones, FortiGate firewalls offer the ability to create SD-WAN zones. These can be used as containers for similar interfaces (underlays or overlays), or they can be used to organize SD-WAN links in any other way that makes sense to the deployment.
Pro Tip: Use zones along with SD-WAN rules for specialized traffic flows. This can simplify configurations when you need to prioritize applications, such as video conferencing, over general traffic.
SLAs are the health checks used by the FortiGate firewall to choose the most preferred SD-WAN member based on passing certain measured criteria. A few of the most common criteria used are ping response, latency, and jitter (although there are additional advanced criteria). Passing one or more SLA can allow the SD-WAN engine to select a customarily preferred interface or exclude an interface from load balanced path strategy.
In a general sense, Fortinet SD-WAN is like dynamic policy-based routing. Perform a policy route so long as a condition or conditions are met.
Any SD-WAN project will require a decision on routing strategy. For smaller or simpler deployments, static routing is perfectly acceptable for larger enterprises or ones with numerous non-contiguous subnets; a dynamic routing protocol should be considered. FortiGate supports vendor-neutral protocols such as BGP and OSPF, with BGP being the preferred protocol for SD-WAN routing. For more advanced configurations BGP can be coupled with ADVPN and SD-WAN to allow for spoke-to-spoke shortcuts, self-healing of problematic circuits, as well as the use of BGP communities and route tagging for advanced path selection.
Pro Tip: If you use a mix of MPLS and broadband links, create a hybrid routing strategy that dynamically shifts traffic based on link quality or business needs.
SD-WAN rules dictate how traffic is routed, and their top-down evaluation makes proper rule hierarchy crucial.
For designs featuring numerous FortiGate firewalls, FortiManager can be a force multiplier in deploying and maintaining the solution. This out-of-band management server (deployed as an on-premises VM, private cloud VM, or Fortinet SaaS solution) has built-in components for creating, deploying, and maintaining an SD-WAN solution.
Pro Tip: Use FortiManager’s SD-WAN Table View feature to provide a quick snapshot of link performance across all devices. Hovering over a given performance SLA, you can see more granular detail about how that SLA is performing according to its configuration.
At Layer8, we’ve successfully designed and deployed SD-WAN solutions ranging from straightforward setups to complex, multi-site configurations for businesses like a 200-location retail operation. If you’re ready to explore how Fortinet SD-WAN can enhance your network, our engineers are here to help.
Contact us today for a free consultation, and let’s discuss how to make your network more intelligent, faster, and more resilient.