Secure SD-WAN Fortinet – Enterprise use cases

Secure SD-WAN Fortinet – Enterprise use cases


From a technical point of view, the Fortinet SD-WAN consists of a single virtual interface for each VDOM, which in turn includes several physical or virtual interfaces up to a maximum of 256. One of the many advantages that its implementation can offer concerns its configuration and management. In fact, it is possible to simplify the definition of firewall policies and network routing by operating on this single object, which will then transmit all settings to the interfaces that it includes.

In other words, taking as an example the simple and widespread scenario of a branch office with a Local Area Network (LAN) and two Wide Area Network (WAN) links to two different Internet Service Providers (ISP), usually a primary and a backup connectivity, it is possible to configure a single static default route via SD-WAN and a single navigation policy.

It is possible to apply Fortinet Unified Threat Management (UTM) filters to this policy to provide all necessary security controls for protection and compliance. Furthermore, this policy allows the traffic from the LAN to the Internet through the outgoing SDWAN interface and it lets the FortiGate device dynamically handle the traffic routing on the basis of the defined criteria, strategy, and parameters. It will also balance the traffic load and thus allow users to benefit from the link capacity.

The Fortinet SDWAN allows a user to configure traffic balancing using different load balancing algorithms such as bandwidth and session usage, or based on the application. Another important feature of the SD-WAN is the constant measurement of the links quality through SLA performances that determine in real time the percentage of latency, jitter, and packet loss for each connection. The implementation of SD-WAN rules confers the possibility of configuring delay sensitive applications, like voip and video streams for example, in order for them to be routed to the link that presents the best jitter and latency performance. In this way, traffic with a lower priority, such as http and https, is routed to less performing connections.

The SD-WAN either uses the Internet Services or the application control database to route traffic to a specific link. These databases are also constantly updated through periodic FortiGuard new releases. Additionally, in order to use the application control database and inspect an accurate identification of the applications, SSL deep inspection is required.


Enterprise use cases

From a topology design point of view in a multi-location enterprise context, the SD-WAN technology allows flexibility by untying the dependence on the single Carrier. It is possible to use a VPN overlay to connect Branch and Head Quarter (HQ) with Hub and Spoke topologies such as Star and Extended Star or Full/Partial Mesh. Thus, it is possible to employ one or more MPLS connections for critical applications and one or more VPN tunnels through one or more local Internet breakouts for other types of traffic. Therefore, this procedure optimizes the available bandwidth and increases performances. In opposition to the configuration applied infrastructures that converge all traffic to the star center using only an MPLS network, this one implies that applications based on Public Cloud will employ direct access to the Internet from the Branches.


Another option is to detach from MPLS connections by equipping each branch with two or more Internet connections and to build a VPN network between the branches. This method ensures redundancy and business continuity. It is also possible to reduce the management costs of private geographical links and so rely on different ISPs depending on territorial availability and convenience.


Next article will explore further the configuration detail of this last case of use.