FortiSDWAN Introduction

Traditional WANs utilize private multiprotocol label switching (MPLS) links, which carry a premium price for connectivity. But more important than cost, there is also productivity to consider. Most traditional WANs feature a “hub-and-spoke” architecture that funnels branch network traffic back to the organization’s main data center for filtering and security checks.

Ideally, enterprises should implement SDWAN technology which has the capability to determine which path best meets performance expectations for a particular application and assign packets or sessions to that WAN path. This results in faster connectivity, cost savings, and performance for Software-as-a-Service (SaaS) applications as well as digital voice and video services.

Fortigate firewalls include Secure-SDWAN capabilities, providing both networking and security for SD-WAN branch networks in a single solution. This allows NGFW features such as IPS, anti-virus and application control to be utilized to ensure secure connectivity.

Fortinet SDWAN Overview
Traditional WANs utilize private multiprotocol label switching (MPLS) links, which carry a premium price for connectivity. Most traditional WANs feature a “hub-and-spoke” architecture that funnels branch network traffic back to the organization’s main data center for filtering and security checks.

While this provides centralized protection, it also increases latency and slows down network performance. This is an especially keen problem for cloud-based tools like Voice over IP (VoIP) and videoconferencing technologies which typically require high-quality performance.

Fortinet FortiGate next-generation firewalls (NGFWs) include Secure SD-WAN capabilities that deliver security-driven networking in a unified solution. The Fortinet solution boosts application performance through instant identification and intelligent routing. Additional features increase branch network performance while simplifying security and compliance risk management workflows.
SDWAN Fundamentals
SD-WAN Core Capabilities:

  • Multi-path control
  • Application awareness
  • Dynamic application steering

SD-WAN protects application availability and performance across the corporate WAN or across the internet to multi-cloud environments by leveraging WAN path failover, link aggregation, link remediation, and active path performance metrics. Essentially, SD-WAN determines which path best meets performance expectations for a particular application and assigns packets or sessions to that WAN path.

The SD-WAN interface consists of a group of member interfaces that can be connected to different link types. SDWAN simplifies your network configuration because you configure a single set of routes and firewall policies and apply them to all member interfaces. You also configure various types of criteria that the FortiGate then uses to select the best links for your network traffic.

FortiGate delivers routing protocol support (e.g., BGP, OSPF, etc.) and VPN pairing as a spoke or hub, enables WAN optimization via protocol optimization, byte, and object caching, and even acts as an access layer controller.

Secure SD-WAN

Branches with SDWAN require advanced security capabilities at the network edge. It is not enough to simply provide direct internet access with SD-WAN. Organizations need a Secure SD-WAN with built-in threat protection. Secure SD-WAN provides a security stack at the branch edge where it will provide direct services without traversing the corporate WAN.

Multi-path Control

The Secure SD-WAN solution must be able to distinguish between applications to leverage the full functionality of the solution. By distinguishing applications and controlling multi-path environments, Secure SD-WAN provides dynamic application steering via packets or sessions to traverse available paths to the corporate WAN or multicloud environments.

Fortinet presents two main strategies for organizations to steer applications: best quality and minimum quality service-level agreement (SLA). Best quality determines which path is outperforming based on chosen metrics, by at least 10%. If the difference between the identified members is within the defined threshold, Secure SD-WAN selects the higher-priority link.

Sources:

https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-fortinet-sd-wan.pdf

https://events.bizzabo.com/ONECON19/agenda/session/144329

https://www.fortinet.com/content/dam/fortinet/assets/document-library/ra-sd-wan-reference-architecture.pdf