SD WAN with FortiGate – Explained


Software Defined Wide Area Networking (SD-WAN) is a buzzword that seems to be here for the long haul. It carries the same longevity like other recently coined words such as Next Generation Firewall, Cloud Access Security Broker, etc. It signifies a shift from the traditional (dare I say legacy) ways that enterprises conduct their business in regards to networking. With as much attention that this word gets, there is still a disconnect as to the purpose it serves enterprise networks these days.

Figure. – Diagram of basic SD-WAN topology


Traditionally, network sensitive applications were typically handled through the use of Multi-Protocol Label Switching (MPLS) networks. These are dedicated links provided by a telecommunications company that had well defined Service Level Agreements (SLAs) by the provider to ensure the business that the network would meet a certain threshold when it comes to network characteristics such as latency and jitter. These types of circuits are known to be very expensive but were used by businesses because there were really no better ways to guarantee network performance.

To get an understanding of why there is a huge shift to adopt SD-WAN, let’s identify some of the issues that plague this legacy paradigm:

Mulit-Protocol Switching Label (MPLS) WAN links are expensive

Doing a quick search in Google, I discovered a PDF that lists costs for Verizon MPLS ports. According to this document, a 30 Mbps bandwidth port will cost the business $656.24 per month! Compare this with commodity business class Internet (Verizon Fios) that supports 150 Mbps bandwidth for $79.99 per month! Looking at the difference in price, can theoretically get 8 Fios circuits for the price of one MPLS circuit.

Intelligent Failover Requirements

The increased usage of latency/jitter sensitive applications (such as video conferencing and VoIP) that are less tolerant to sub-optimal network conditions, require a solution that is able to monitor the network beyond the standard link up/down and probe (ping) response. Also, networks need sub-second network convergence when a link does fail or show conditions that are not conducive to support the requirements for a network application.

MPLS WAN links are slower to provision than commodity circuits

A quick search in Google shows that on average, MPLS provisioning can take upwards to 60 days, and that is in the US. In other countries, it could take upwards to 120 days depending on the infrastructure and capabilities of the provider in those environments. However, many commodity circuits can be provisioned within a week and in some cases, the same day the circuit is ordered (i.e. dealing with wireless providers). This greatly shortens the amount of time needed to make an office operational with connectivity back to headquarters or the cloud.

Better control (security/path selection) over different traffic types

Traditional path control relies on using normal network based path control based on the network address where the destination network resides. In more intelligent platforms, the layer four (port) information of the protocol could be leveraged as well.

However, in cloud connected environments where multiple applications may be hosted in the same network address space on the same port (think web applications), this does not allow granular control with routing. SD-WAN solutions address this by using deep packet inspection to identify the application of the packet and use that criteria to define policy to route the traffic.

In addition to that, SD-WAN solutions have capabilities to help control Quality of Service (QoS) by giving order and precedence to certain traffic in case of link congestion.

SD-WAN Requirements

In order to take advantage of SD-WAN capabilities, there are a certain level of requirements that must be met by the environment SD-WAN will be deployed in.

SD-WAN Requires Multiple Circuits for Connectivity

SD-WAN overcomes the lack of SLA by commodity circuits by spreading the risk over multiple circuits at the same time. The thought process is that a virtual circuit bundle comprised of multiple circuits will meet a defined SLA within in a certain time period, given that one or more circuits will meet the SLA requirements of the network applications utilizing that virtual circuit bundle.

SD-WAN Requires an Overlay Network

One of the consequences with leveraging many disparate internet circuits is that there is no control over the paths those circuits take to get to a common network. To accommodate for this, most SD-WAN solutions require an overlay network to route packets over to ensure a common topology for routing between networks. Creating this overlay network gives the SD-WAN administrator more control to provide a predictable path (built on top of the underlay network) for routing packets between two locations. This overlay network is commonly built with some type of tunneling/encapsulating protocol such as IPSec.

Secure SD-WAN with Fortinet

SD-WAN solutions typically provide a standard feature set comprised of:

  • Network measurement (through active or passive probing)
  • Intelligent path control to route traffic based on network characteristics like latency, jitter and packet loss
  • Forward Error Correction (FEC) for adding reliability to data transmission
  • Application awareness via Deep Packet Inspection (DPI) of network streams
  • Low (Zero) Touch Deployment and orchestration of SD-WAN solutions.

The FortiGate’s main differentiation when it comes to SD-WAN is that it is one of the few providers that has a “secure” SD-WAN solution. FortiGates is classified as a Next Generation Firewall (NGFW) with an embedded SD-WAN solution. This provides a distinctive advantage with this platform to allow you to implement enterprise class network security with intelligent path control built-in to the platform. Below are some highlights to capabilities specific to the FortiGate.

Source Based SD-WAN

The FortiGate does not need an overlay controller to provide the intelligent path control within its SD-WAN configuration. All decisions regarding the SD-WAN is made from the source of the traffic thus allowing the SD-WAN to be decentralized and not necessarily requiring a complete vendor lock-in to utilize the SD-WAN feature.

This is specifically useful when performing load balancing of WAN connections from disparate ISPs. These load balancing methods can support a variety of methods to distribute load across multiple WAN circuits.

Figure. – Screenshot of load balance algorithms supported by FortiGate SD-WAN

Enterprise Security Features

The FortiGate’s pedigree of being a NGFW gives it a distinct capability of supporting common enterprise grade security features. These features consist of the following:

  • Anti-Virus
  • Intrusion Prevention
  • Content Filtering
  • Application Control
  • Cloud-Application Inspection
  • User Identity via Single-Sign On
  • DNS Inspection
  • Web Application Firewall

Dedicated Hardware for Overlay Network

The FortiGate has purpose built hardware that is used to accelerate throughput associated with IPSec VPN (commonly used for the overlay network). This allows for high throughput application with minimal delay (latency) with network applications that are sensitive to the sub-optimal conditions. Due to this, lower end FortiGates can be leveraged in remote locations providing a cost effective solution to enable highly capable solutions.

Figure. – Picture of SoC4 ASIC

This initial post serves are an overview of SD-WAN as well as a means to annotate the capabilities associated with the Fortinet SD-WAN solution. Subsequent posts will detail the configurations associated with this solution as well as provide demonstrations of the solution in action.

4.7 3 votes
Article Rating
Notify of
Inline Feedbacks
View all comments