FortiGate evaluates metrics defined within a performance SLA with respect to each member in the SD-WAN policy. If the primary path does not meet the SLA for the defined threshold(s), FortiGate will move the traffic to an alternate path. If no path meets the threshold(s), FortiGate chooses the path with the highest priority. To aid application steering, the Secure SD-WAN solution provides active path metrics. In conjunction with customer-defined SLAs, the SD-WAN policy engine determines which paths are viable transports for each application.

Application Awareness and Automated Path Intelligence

With traditional WAN, enterprises have a hard time maintaining the quality of user experience per application. Traditional WAN infrastructure relies on packet routing, which limits application visibility.

Fortinet Secure SD-WAN uses “first-packet identification” to intelligently identify applications on the very first packet of data traffic. This broad application awareness helps network teams see which applications are being used across the enterprise, enabling them to make well-informed decisions regarding SD-WAN policies. Fortinet Secure SD-WAN references an application control database of over 5,000 applications, a number that continues to grow as both the threat landscape and digital network evolve.

Being application aware opens the doors to automated path intelligence—prioritizing routing across network bandwidth based on the specific application and user. Offering a per-application level SLA, Fortinet Secure SD-WAN automated path intelligence dynamically selects the best WAN link/connection for the situation.

FortiGate NGFWs that feature the new SOC4 application-specific integrated circuit (ASIC) enable the fastest application steering in the industry, including unrivaled application identification performance. This includes deep SSL/TLS inspection with the lowest possible performance degradation. Related features include:

  • WAN path remediation, which utilizes forward error correction (FEC) to overcome adverse WAN conditions such as poor or noisy links. This enhances data reliability and delivers a better user experience for applications like voice and video services. FEC adds error correction data to the outbound traffic, allowing the receiving end to recover from packet loss and other errors that occur during transmission. This improves the quality of real-time applications./li>
  • Tunnel bandwidth aggregation, which provides per-packet load balancing and delivery by combining two overlay tunnels to maximize network capacity if an application requires greater bandwidth./li>
  • Automatic failover capabilities, which change to the best available link when the primary WAN path degrades. This automation is built into FortiGate NGFWs, reducing complexity for end-users while improving their experience and productivity.

SDWAN Interfaces

The FortiGate Secure SD-WAN solution is largely comprised of autonomous underlay and overlay interfaces aggregated into a single virtual WAN link. Administrators must specify at least two virtual WAN link member interfaces. SD-WAN should be configured early during the initial setup of FortiGate because interfaces already referenced by a firewall policy or static route are not eligible to be added as a member interface.

Underlay transport. The raw transport typically associated with the wire attached to the FortiGate device. There is a one-to-one relationship between underlay interfaces and FortiGate physical interfaces. Examples include MPLS, broadband, or 4G/LTE connections over Ethernet.

Overlay transport. A virtual interface riding an underlay transport. There may be a one-to-many (physical interface to overlay interface) relationship for overlay transports. Examples include IPsec tunnel and VLAN interfaces.

Virtual Private Network Connections

VPN connections are instrumental in Secure SD-WAN deployments. As an overlay interface, VPN tunnels sometimes exist in some level of multiplier of the underlay interfaces. FortiGate supports numerous connections for IPsec tunnels and architectures, from common hub and spoke and partial mesh, to full mesh VPN architectures.

FortiGate includes auto-discovery VPN (ADVPN) to dynamically negotiate on demand direct VPNs between spoke sites with the assistance of the hub site. While this capability typically requires the use of routing protocols so spokes are able to learn routes from one another, the FortiGate device serving in hub roles maintains a record of networks for each spoke and is able to communicate routes while facilitating a direct connection between two spokes. It also allows administrators to add forward error correction (FEC) to IPsec VPN members to lower packet loss ratio for critical business applications like voice and video.

Sources:

https://www.fortinet.com/content/dam/fortinet/assets/document-library/ra-sd-wan-reference-architecture.pdf

https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-architecture-for-enterprise/940/reducing-risk-with-secure-sd-wan

https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-fortinet-sd-wan.pdf

https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-fortinet-secure-sdwan-for-healthcare-V2-1292020.pdf

https://www.fortinet.com/blog/business-and-technology/fortinets-advanced-sdwan-capabilities-help-achieve-max-performance

https://www.business.att.com/content/dam/attbusiness/briefs/att-sase-branch-with-fortinet-solution-brief.pdf

https://www.coursehero.com/file/p1vv2t3/Figure-10-Client-side-Secure-SD-WAN-with-IPsec-VPN-9-WHITE-PAPER-Fortinet-Secure/