SDWAN: Chapter-2: Fortinet Secure SD-WAN

Fortinet Secure SD-WAN

FortiGate delivers fast, scalable, and flexible Secure SD-WAN on-premises and in the cloud. Fortinet Secure SD-WAN supports cloud-first, security-sensitive, and global enterprises, as well as the hybrid workforce. Our Secure Networking approach uses one operating system and consolidates SD-WAN, next-generation firewall (NGFW), advanced routing, and ZTNA application gateway functions

Fortinet’s Secure SD-WAN solution relies on well-known FortiOS features which are

·        IPSEC (Overlays)

·        Auto-Discovery VPNs (ADVPNs)

·        Advanced Routing (BGP)

·        Link Monitoring (Estimated Bandwidth)

·        ISDB Database

·        Traffic Shaping (QOS)

·        Load Balancing

·        UTM Profiles (Web Filter, IPS, AV, etc)

The administrator can then combine these features and set rules that define how FortiGate steers traffic across the WAN based on multiple factors, such as the protocol, service, or application identified for the traffic, and the quality of the links. Note that SD-WAN controls egress traffic, not ingress traffic. This means that the return traffic may use a different link from the one SD-WAN chose for egress. Below are the benefits of Fortinet’s Secure SDWAN

·        Effective WAN usage

·        Use of Hybrid WAN (ILL and MPLS)

·        Improved application performance through best links using performance SLA

·        Use of AD-VPN (Fortinet Proprietary) for direct communication between 2 branches using IPSEC Tunnels.

·        Less Load on Hub using ADVPN and reduced latency for spoke communication

·        Potential Use of FortiManager (FMG) for Zero Touch Deployment (ZTP) and rest of the security Fabric to create a secure SD-Branch Solution

·        Traffic Inspection using FGT IPS engine and application signature provided by FortiGuard for application identification.

Below diagram shows the Architecture components of SD-WAN.


Fortinet Secure SD-WAN Common Use Cases

·        Direct Internet Access (DIA) or Most Commonly Known as Local Internet Breakout. This is achieved where site as multiple internet links and traffic can is load balanced across Multiple Links. In below example wan2 and LTE will be used simultaneously to access zoom and Office 365

 

 

·        Branch to Data Center Connectivity using IPSEC/Overlay tunnels. This leverage multiple types of WAN connections available at branch and Hub locations so branch access the applications behind the datacenter.

·        Branch to Branch Communication using AD-VPN (Auto Discovery) VPNs. This is use case where enterprise branches would like to communicate with each for other for variety of the applications.


·        Remote Internet Breakout (RIA): This is the use case for the enterprise where branch does not have any local internet breakout and relies on Data center’s  leased lines for Internet access.

·        Dual Hub (Active-Active): This is the Use case Branch connects over IPSEC Tunnels with 2 Active Hubs with different applications.


·        Multi-Region Hub:  Each region has its own SD-WAN topology, which can be single or dual hub. ADVPN shortcuts can be established between devices in each region, but inter-region traffic must always flow through regional hubs.



Fortinet Secure SD-WAN Fundamental

Let’s start with SD-WAN deep dive by understanding SD-WAN fundamentals that is an essential part of any Fortinet SD-WAN enterprise solution. By demonstrating competence in Fortinet SD-WAN fundamentals, you should be able to understand the basics of SD- WAN which eventually will build basics of enterprise SD-WAN.

Below are the Fundamentals or building blocks of the Fortinet’s secure SD-WAN

·        SDWAN Members

·        SDWAN Zones

·        Performance SLA

·        SD-WAN rules

·        SD-WAN routing (Static/Dynamic)

·        Firewall policies.

SD-WAN Members: Members or also known as underlay links are existing physical or logical FortiOS interfaces that you select to be part of SD-WAN. The interfaces are then used to steer traffic based on the SD-WAN rules configured. The Members can be of below types in any general SD-WAN enterprise solution

                            i.          MPLS

                           ii.          ILL

                          iii.          Broadband/PPOE

                          iv.          LTE

                           v.          VLAN

SD-WAN Zones: Zones are logical groupings of interfaces. When SD-WAN member is configured, a zone must be assigned to it. The goal with SD-WAN zones is to reference them in the configuration instead of individual members to optimize the configuration by avoiding duplicate settings, and to achieve network segmentation. When set, the Gateway setting is used as the next hop to forward traffic through the member. There is one default zone available on FGT firewall and test of the zones will be created as per the requirement

·        virtual-wan-link


Performance SLA: Once SD-WAN zones and members are created Performance SLAs are used to monitor the health of SD-WAN members. FortiGate performance SLAs monitor the state of each member whether it is alive or dead and measures the member

·        packet loss

·        latency

·        jitter.

SD-WAN then uses the member health information to make traffic steering decisions based on the configured SD-WAN rules. For example, you can instruct FortiGate to steer internet traffic to a member, provided the member is alive and its latency doesn’t exceed a given threshold. Performance SLAs will also detect situations where the interface is physically up, but FortiGate is unable to reach the desired destination and flags the corresponding link as dead.



SD-WAN Rules: Once zones and Performance SLAs are configured, the traffic is steered using SDWAN Rules. SDWAN rules are also used to prefer the Zone/member in the policy. SD-WAN rules are evaluated in the same way as firewall policies i.e from top to bottom, using the first match. However, unlike firewall policies, they are used to steer traffic, not to allow traffic. When SD-WAN rules are used, corresponding firewall policies are configured to allow the SD-WAN traffic.

There is an implicit SD-WAN rule created by default. If none of the user-defined SD-WAN rules are matched, then the implicit rule is used. By default, the implicit rule load balances the traffic across all available SD-WAN members.


While creating an SD-WAN rules there are 4 Interface selection strategies available out of which any one can be chosen

·        Manual: Members are assigned manually.

·        Best Quality: Member with Best performance (based on SLA targets) is selected.

·        Lowest Cost: In case of Tie, member with lowest cost SLA is selected.

·        Maximize Bandwidth SLA: Traffic is load balanced.

 


SDWAN Routing: SD-WAN rules define the traffic steering policies in SD-WAN. However, traffic won’t be forwarded to an SD- WAN member unless there is a valid route that matches the destination address of the traffic through the SD- WAN member.

Static or Dynamic routing can be used in the SD-WAN. In large Enterprise, SD-WAN is offered with BGP routing where Hub works as route reflector and receives all routes from connected spoke location.

Static: Static SDWAN routing is mostly used for local breakout using the SD-WAN zone.

BGP: iBGP is mostly use in full fledged SD-WAN solution where bgp over each overlay approach is use.






Firewall Policies: A valid firewall policy is also required to allow the traffic steered by SD-WAN rules. SD-WAN policies are configured in the same manner any other policies are configured except zones are used in incoming or outgoing interfaces.



In Next Blog, we will look at the overlay concept in more details to understand how overlays are created on and how personas (Hub/Spoke) are decided for the FortiGate. Till Then, Kindly go through the blog and comment in case of any query.

Comments

Post a Comment

Popular posts from this blog

SDWAN:Chapter-3: SDWAN Overlays & ADVPNs

Image
Fortinet Secure SD-WAN: Overlay VPNs As we know now, FortiGate delivers fast, scalable, and flexible Secure SD-WAN on-premises and in the cloud. Fortinet Secure SD-WAN supports cloud-first, security-sensitive, and global enterprises, as well as the hybrid workforce. Our Secure Networking approach uses one operating system and consolidates SD-WAN, next-generation firewall (NGFW), advanced routing, and ZTNA application gateway functions. Today, we will look at the first and most important component of the Fortinet SD-WAN solution which is Overlay VPNS. Overlay VPNS are Dial-up IPSEC VPNs used to create path between Hub and spoke over any underlay transport medium. The underlay medium can be anything like ·         MPLS ·         ILL ·         Broadband ·         4G/5G ·         P2P (But it is recommende...
Read more

Introduction to Fortinet Firewall

Image
Today's Fortinet Next generation firewall prvides flawless covergence irrspective of scale to any location The Fortinet  FortiOS  operating system provides deep visibility and security across a variety of form factors. The FortiOS has evolved in such way that today, it is capable of unified Management and consistant security across complext hybrid environment. Below are the FGT NGFW Use cases 1. Data Center (Hyperscale firewalls) 2. Branch (AI/ML Security driven architectire along with SD-WAN) 3. Campus (NAC integration along with FortiOS provides visibility and protection) 4. Cloud (Available across all cloud platform. Provides public and private cloud protection) 5. Segmentation (OT use cases) Fortinet NGFW is available in many different hardware models based on Requirement Data Center (High End): 7K, 6K, 3K, 2600F, 1800F, 1000F Campus (Mid-Range): 600F, 400F, 200F, 100F Branch (Entry-Level): 80F, 70F, 60F, 40F FortiOS: Lets look at the common different options offered by Fo...
Read more