Chapter 5

Deployment

52
5.1 SD-WAN: Five steps to a successful Deployment

Having run a successful proof of concept or pilot program, the next step is to map out how you
will deploy and scale your SD-WAN solution to achieve your network transformation goals.

Once you've piloted and selected your SD-WAN solution, the next step is to plan a full-scale
deployment. There are many things to consider. First, you'll need to choose the type of
deployment sites, which could include remote branch offices, regional hubs and manufacturing
facilities, for example.

Next, you'll need to assess your global connectivity capabilities, paying particular attention to
countries where the uptime and throughput of Internet Service Providers is problematic. Finally,
you should decide on your preferred service model – do you want to manage your SD-WAN on a
DIY, co-managed or Do-It-For-Me basis? It's critical to define robust service level agreements
(SLAs) with your SD-WAN provider to maintain the highest possible levels of cloud application
performance and keep your end users happy.

5.1.1 Assess your global connectivity needs

The average multinational corporation has 23 connectivity providers around the world. This
means your procurement team needs to track many different service contracts and bills and step
in to resolve disputes in the local language of each country's ISP. Meanwhile, the in-house IT
teams have to deal with multiple technical support organizations when problems occur. An
enterprise may very well find that some of their ISPs do not staff on weekends or schedule
downtime for repairs at the most inconvenient time. The technical service definition can differ
from one ISP to another, making your solution more heterogeneous and harder to manage.

When assessing your global connectivity needs, pay close attention to large land areas without
established telecoms infrastructure where you have branch offices that need to be connected. SD-
WAN is a very attractive proposition for countries like China and India and ASEAN nations like
Vietnam, Thailand and Malaysia, but the right choice of ISP and deployment model is key.

Some providers opt to run IPSec through the Great Chinese Firewall, but the service delivery
tends to be intermittent, which drives users crazy.

5.1.2 Consider working with a managed service provider

One alternative is to work with a multisourcing service integration (MSI) partner who manages
the ISPs and other service providers on your behalf. When there's an issue with an application,
enterprises don't want to be left to figure out what is wrong. Having a single team in charge of
managing both the SD-WAN infrastructure and the underlay, including global ISP peering
relationships, takes this problem away.

For example, we review the performance of all the Internet carriers we partner with globally on a
monthly basis. We assess the criticality, scale and recurrence of any service issues that arise.

53
Global buying power gives us leverage to keep ISPs on track. We can even take over the
management of any additional ISPs an enterprise currently uses.

Figure 5.1

5.1.3 Choose from a DIY, Do-It-for-Me or Co-managed SD-WAN service model

Enterprises can choose from a range of flexible Do-It-Yourself (DIY), Do-It-for-Me or Co-
managed SD-WAN deployment models. In each case, access to a self-service portal to monitor
service delivery and make network changes yourself is invaluable.

With the DIY approach, the enterprise chooses its SD-WAN routing equipment and installs and
configures it themselves at each site and manages a panel of global ISPs. Around 20% of
enterprises choose a DIY route, compared to 80% choosing the managed SD-WAN route,
according to recent research by Frost & Sullivan.

A fully-managed SD-WAN service ensures there are clear SLAs, guaranteeing performance and
connectivity – even in remote locations. You get a single point of contact and process for
technical support, troubleshooting and service-related communications across all the ISPs.
Simplicity of billing and increased commercial agility is assured with the ability to add new
geographies, capacity and application performance and security services as required. Enterprises
can opt for a range of additional security services, including cloud-based web traffic filtering,
role-based access controls and internal network segmentation.

54
Co-management is a popular service deployment model with many enterprises. The managed
service provider makes sure that the infrastructure works properly, while enabling the customer
to perform some monitoring and application policy configuration tasks directly themselves.

5.1.4 Ensure you have a robust SD-WAN management portal

t's important to be able to pinpoint performance issues across the data center, SaaS application,
network and device stack. A unified management dashboard provides visibility into application
performance and the health of all the connectivity links. It eases the identification and reporting
of issues, ensuring visibility of end-user performance. A portal should also enable you to easily
make network changes and configure SD-WAN, universal CPE (uCPE) or virtualized CPE
(vCPE) devices at any branch office location around the world.

5.1.5 Decide what capabilities you need at each site

SD-WAN requirements tend to vary across applications and locations – especially for the world's
largest enterprises. Using service chaining and micro-segmentation, enterprises can add security
and WAN optimization functions in a highly targeted way at specific regional locations where
there is a need.

An enterprise may need to connect a site in Asia to a cloud-based application hosted in Europe,
which would require WAN optimization, something that may not be necessary for more local
sites. In the retail sector, a simple SD-WAN overlay could be sufficient to ensure high-speed
access to and from stores to a cloud-based inventory system. But the CCTV surveillance
monitoring systems may require additional security to ensure tamper-proof operation. The point-

55
of-sale (POS) terminals will need optimized, and links will need secured for fast transaction
processing times and to ensure compliance with PCI credit/debit card processing regulations.

5.2 Think about your longer-term SD-WAN strategy

When deploying your SD-WAN solution, it's important to think about your
longer-term SD-WAN strategy. Connectivity is the lifeblood of any digital
business and needs to evolve continuously. Over time, SD-WAN tools will
incorporate machine learning and AI and be able to predict network behavior
in real-time and identify potential problems before employees or customers
have noticed them.

56
Chapter 6
Results and
Conclusion

57
6.1 SD-WAN Challenges

But while SD-WAN offers inherently faster and cheaper connectivity than traditional WANs, it is
not a panacea on its own. Despite its

transformative capabilities for branch networks, several challenges must be addressed to fully
articulate and actualize SD-WAN’s potential:

6.1.1 Poor User Experience

Digital innovations has increased the demand for SaaS and UCaaS applications which require
multi-cloud

access. Traditional WAN network has limited access or a backhauled connectivity through
datacenters to such critical applications. This

creates a high latency WAN links which adversely affects user experience.

6.1.2 Lack of visibility

SD-WAN solutions typically lack visibility into applications at the branch level. This can lead to
Shadow IT problems,

including SaaS applications (unauthorized applications that may introduce security and/or
compliance risks), as well as bandwidth

limitations from branch users wasting bandwidth on nonessential applications (e.g., Pandora,
YouTube).

6.1.3 Complexity

In addition to the other types of complexity that DX technologies introduce, SD-WAN

architectures can be difficult to troubleshoot and

hard to manage across all the branches. Most solutions do not offer a single management
interface for consolidated network oversight and control

across all of the enterprise’s remote locations. This adds to the burden on limited IT staff and
often creates defensive gaps for threats to exploit.

6.1.4 Security

Without the centralized protection provided by backhauling traffic through the data center,
moving from MPLS to direct internet broadband connections exposes organizations to new risks
—especially considering that cyberattacks are growing in both number and sophistication.

58
Effective SD-WAN implementation requires additional security within the enterprise
infrastructure to secure those connections and inspect high volumes of traffic—all without
inhibiting network performance. To address these challenges, one approach to effective SD-
WAN implementation combines both networking and security functions in a unified solution.
The Fortinet Secure SD-WAN solution can be enabled on Fortinet NGFWs. FortiGate combines
NGFW and SD-WAN features into a single solution that improves both WAN efficiency and
security. It provides 64% of IT decision-makers believed their organization’s SaaS adoption is
outpacing their ability to secure it.3 efficient protections across all branch outposts by providing
consistent policy enforcement with single-pane-of-glass management. It also allows enterprises
to mitigate risks associated with DX. Three common use cases demonstrate how Secure SD-
WAN can solve key enterprise challenges while enabling greater business value for
organizations.

6.2 Use Case: Improve Application Experience

Businesses kept sending all their sensitive and critical applications traffic to datacenters for
security purposes or were forced to install a sophisticated firewall solution to inspect their direct
internet access.4 This added another point product for security, making the network more
complex, challenging to manage and delayed cloud adoptions. The need to integrate SD-WAN,
security and networking functionalities on a single appliance made absolute sense to reduce
network complexity, associated costs, and ease of management.5 This allowed businesses to
displace their multiple point products with a powerful appliance at a reduced cost and ease of
management using a centralized console. A strong security posture offered businesses to send
their cloud applications on more affordable, low latency direct internet reliably with optimal
application performance and best user experience. Continued network performance health checks
ensured the best available WAN link was chosen based on user-defined application service level
agreements and remediate network degradation with fail-over of traffic to a better performing
WAN link. Intuitive business policy work flows make it easy to configure and manage the
application needs with the flexibility of prioritizing business critical applications.

Figure 6.1
59
6.2.1 Broad application awareness

FortiGate’s application database supports more than 5,000+ application signatures, it provides
accurate detection of such critical real-time applications. This level of application visibility
enables systems administrators to define business policies with precise service level agreements
for network parameters (latency, packet loss and jitter) because the SD-WAN solution
automatically ensures that the best possible WAN link is chosen for traffic forwarding. New
applications—including encrypted and cloud application traffic—can be identified and classified
via an optional FortiGuard Security Subscription Service. Fortinet NGFWs can receive ongoing
threat-intelligence updates from FortiGuard Labs researchers for more efficient application
routing as well as real-time threat protection.

6.2.2 Automated multi-path intelligence

Fortinet Secure SD-WAN continuously monitors those connections, so should bandwidth

conditions degrade for a given application, Fortinet Secure SD-WAN can seamlessly switch to a
better performing WAN link – without any impact on application delivery. And in a worst-case
scenario, where all WAN links are degraded, it can remediate these network conditions with
advanced techniques such as forward error correction. Maintaining high-quality performance for
communications applications is especially important for regional branches and remote offices
that rely on collaborative interaction for productive operations. In their 2019 SD-WAN Group
Test Results, NSS Labs measured the quality of experience (QoE) of VoIP and video application
performance offered by different SD-WAN solutions. Fortinet Secure SD-WAN received top
marks for both VoIP (was the highest score) and video QoE and an overall “Recommended”
rating.

6.2.2 Compliance tracking and reporting

Secure SD-WAN-enabled tracking and reporting helps ensure adherence to privacy laws,
security standards, and industry regulations while reducing collateral risks of fines and legal
costs in the event of a breach. These features track real-time threat activity, facilitate risk
assessment, detect potential issues, and mitigate problems. They also monitor firewall policies
and help automate compliance audits. The Fortinet Security Rating Service provides best
practices for compliance standards such as the Payment Card Industry Data Security Standard
(PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and other
regulations. As part of the service, organizations receive their own security posture score and are
then able to compare that to the scores of their peers.

6.3 Use Case: Simplify with Centralized Management and Control

Many enterprise branches may want to simultaneously replace both their WAN and LAN devices
in favor of a solution with deeper integration and simplified branch operations management.
Using separate WAN and LAN infrastructures not only increases branch complexity (more
devices to deploy and update with multiple management consoles). It also reduces visibility and
control of operations while increasing the opportunities for security gaps that hackers can
exploit.

60
6.3.1 Single-pane-of-glass management

Fortinet enables customers to focus on digital innovations and make network more agile. Fortinet
offers intuitive Secure SD-WAN orchestrator as part of its Fabric Management Center. This
allows customers to significantly simplify centralized deployment, enable automation to save
time and offer business centric policies. Fortinet Secure SD-WAN offers enhanced analytics and
new SD-WAN reports with Fabric Management Center. Single console and rich SD-WAN
analytics helps customers to fine-tune their business and security policies to improve quality of
experience for all their users.

6.3.2 Software-defined branch (SD-Branch)

A software-defined branch (SD-Branch) model eliminates these challenges by unifying WAN

and LAN operations within a single solution. As an extension of the Fortinet Security Fabric, a
Fortinet NGFW featuring Secure SD-WAN integrates with FortiAP and FortiSwitch solutions
using a special FortiLink protocol. This enables customers to manage local endpoints (such as
IoT devices) connected to LAN and automatically quarantine devices showing indicators of
compromise. Fortinet-enabled SD-Branch deployments (Figure 2) provide deep WAN/LAN
integration, simplicity, security, and the lowest TCO in the industry.

6.3.3 Zero-touch deployment

Deploying SD-WAN should also be as easy as turning on a feature—and this is exactly what
Fortinet Secure SD-WAN zero-touch deployment offers. New branches can be quickly
connected and secured with little expertise and no additional overhead. Fortinet simplifies
infrastructure and delivers SD-Branch operations with consolidated WAN/LAN functions and
advanced security features. No other vendor is able to provide this combination of capabilities.
Enhanced analytics for WAN link availability, performance SLA and application traffic in run-
time and historical stats allow Infrastructure team to troubleshoot and quickly resolve network
issues. Fabric Management Center offers advanced telemetry for application visibility and
network performance to achieve faster resolution and reduce the number of IT support tickets.
On-demand SD-WAN reports provides further insight into threat landscape, trust level and asset
access which are mandated for compliance purposes.

61
 Figure 6.2

6.4 Realizing the Benefits of SD-WAN

With continuing growth in SaaS, VoIP, and video applications, SD-WAN can help distributed
enterprises embrace the benefits of DX without bottlenecking network performance or impacting
the productivity of end users. The performance and security challenges that often come with SD-
WAN are solved by Fortinet Secure SD-WAN—a native component of the Fortinet Security
Fabric and the Fortinet NGFW. Secure SD-WAN allows organizations to rapidly adopt cloud
applications while keeping security a top priority. It helps reduce OpEx costs while maintaining
high-quality performance for VoIP, video, and VPN. It also simplifies the branch network
infrastructure by combining networking and advanced security in a single, unified solution.

6.5 SD-WAN Survey Results

The SD-WAN market has been one of the bright spots for networking technology over the past
decade, bringing a unique set of capabilities to solve the real-world headaches of IT managers,
network managers, and security specialists. Our continued research with both SD-WAN service
providers, technology vendors, and enterprise end users indicated that the SD-WAN market
continues to expand and is maturing. Of the 100 enterprise users we surveyed in 2020, 91.5%
said their awareness of the technology has grown in the last 12 months. With this in mind, our
2021 SD-WAN MS Survey zeroed in on some of the key trends we found elsewhere in our
research. These include the following:
• Enterprise end users are ramping up their use of SD-WAN and have a growing
awareness of the technology when evaluating SD-WAN managed services.
• Interest in learning about the different approaches of co-managed, managed services,
and DIY SD-WAN is growing – with a specific interest in hybrid services and co-
managed offerings.

62
 • End users have interest in a wide feature set for SD-WAN managed services, including
co-management, self-service portals, multi-cloud connectivity options, and security
applications and services. The survey sought to zero in on the most important features in
demand.
• Enterprises continue to see the need for value-added services to manage their cloud
application needs, such as applications management, multi-cloud connectivity, and
security. The survey identifies some key services and features that need to be offered
with SD-WAN managed services.
• Co-management capabilities such as Quality of Service (QoS), IP control, analytics, and
monitoring are important considerations in both SD-WAN infrastructure and managed
services.
When we speak to the network managers and IT specialists using the technology, the theme we
hear is that SD-WAN has made their lives easier. This year’s survey reflects continued interest in
both SD-WAN technology platforms as well as SD-WAN MS. In addition, end users show they
are especially interested in the advanced features that can be provided with SD-WAN technology
and services, including network visibility, application control, and advanced network security.
Additional trends reinforced by both industry developments and our survey show that a wide
range of security capabilities, along with co-management and improved management/
orchestration and automation, are big draws for SD-WAN managed services and are likely to be
key features of adoption.

6.6 Conclusion
Modern SD-WAN solutions offer more agility and connectability and better performance to
enable next-gen technologies compared with traditional wide area networks. The more you
embrace big data and IoT solutions, the more you’ll need SD-WAN technology for your
business. Not only with it make data collection more efficient, it will open the door for more
robust cloud services such as automation software. Furthermore, you will be able to use more
bandwidth at lower costs.

SD-WANs are a great technology, with a lot to offer today’s multinational. So is SD-WAN your
magic solution? No. But it can be … if you make the best use of its flexibility to fit it to your
needs.

An internet-only SD-WAN can still suffer from bottlenecks and blockages. But team it with
Cloud Acceleration and you’ll see those issues dissolve, MPLS-style. And the result will be more
adaptable, faster to roll out, and easier to expand.

63
As you work to improve user experience on your distributed network while keeping costs in
check, consider that an investment in Fortinet SD-WAN delivers much more than a short-term
fix. Once you have the SD-WAN-enabled FortiGate NGFWs and FortiManager in place, you
have the core of an enterprise-wide secure environment. With it, you can confidently support
more remote sites, more bandwidth-sensitive business-critical applications, more cloud services,
and whatever else your network requires to drive your company’s digital transformation.

FortiGate Secure SD-WAN solutions with the new FortiOS 6.0 have been adopted worldwide in
industries as diverse as finance, retail, manufacturing, and customer service. Whether they need
to support a few hundred mobile endpoints or tens of thousands of branch offices, Fortinet SD-
WAN customers are each achieving their own optimal mix of best-of-breed security and SD-
WAN functionality.

64
 Chapter 7
Future Work

65
7. Future Work
The cloud revolution has ushered in the greatest transformation of business operations and
workflows in history. Cloud applications are now the foundation of most organizations, which
has greatly enhanced business productivity and collaboration. And these essential applications
need to be efficient and reliable—which is why SD-WAN is becoming one of the most
successful networking functions in decades. Fast and reliable business applications running on
agile, secure network connections is the name of the game.

The recent shift to a mostly remote workforce accelerated SD-WAN adoption as more
organizations adopted multi- and hybrid cloud compute and services models.
According to a report by IDG Research Services and Masergy, over 90% of organizations expect
to eventually adopt an SD-WAN solution. And the Dell’Oro Group, Inc. expects SD-WAN
technologies to grow at a compounded annual growth rate of 24% over the next five years, to the
tune of $4 billion by 2025.

As it happens with new technologies that spark interest in the industry, the SD-WAN market
became overcrowded with vendors purporting to offer the best solutions. But not all SD-WAN
solutions are created equal. Vendor selection can only be best made after clearing away the
clutter and focusing on priorities. Organizations need to evaluate their current network
infrastructures and understand what it is they need from an SD-WAN solution. I recommend
these things to consider:

1. Is SD-WAN really enabling promised 40%+ cost savings? Can the vendor provide
unrestricted bandwidth usage with SD-WAN without any additional cost for future
growth?
2. Is SD-WAN a point product or part of a platform with integration from IoT, LAN, WAN,
and cloud?
3. Is the SD-WAN solution organically developed such that customers can reduce point
products like routers, SD-WAN and NGFW, or is this solution stitched together after
acquisition, introducing scalability issues?
4. Does it include support for advanced connectivity issues, such as 5G or LTE failover,
traffic steering, and application recognition with deep SSL inspection for accuracy? Does
it offer self-healing connections? How reliable is it?
5. Will the solution support remote super users in a home office, geographically distributed
branch offices, and multi-cloud and cloud on-ramp? Does the solution support all of these
use cases?
6. Is SD-WAN reducing operational overhead and enabling true zero-day provisioning with
automation? Can it provide granular analytics and AI integration to reduce time in day-2
troubleshooting?
7. Does the SD-WAN solution have innovations built in to expand to SD-Branch (LAN
Edge) to provide full digital transformation at the edge instead of just focusing on WAN?
8. Most importantly, how will your SD-WAN be secured? Can it provide built-in next-
generation firewall security as well as the flexibility of the exact same security available
at the Cloud Edge via SASE?

66
7.1 Secure SD-WAN TCO and ROI
Of course of utmost considerations is cost. The total cost of ownership (TCO) for SD-WAN can
be hard to deduce. What may seem like an affordable solution can overwhelm IT staff with its
limited configuration options or lacking support for use cases. And if you are attempting to build
your own security overlay, cost and resource needs could spiral out of control very quickly.

With a fully-integrated SD-WAN solution, organizations should expect 100% ROI in three years,
and some customers will be able to achieve that after only one year of implementation.
Regardless, your chosen SD-WAN solution should immediately deliver ROI benefits attributed
to things such as reducing infrastructure costs, transitioning from static, more expensive MPLS
connections to more flexible and affordable broadband, and consolidating SD-WAN, a wireless
controller, routing, and built-in LTE connectivity into a single solution.

7.2 Other Considerations for Delivering Immediate ROI Benefits

Taking into account all of the aforementioned items, here are a few more things to consider when
evaluating an SD-WAN solution:

7.2.1 Performance:

Because today’s businesses run on applications, users need reliable access and speed to get the
work done. Your SD-WAN solution must allow the quickest access to cloud-based applications
without sacrificing any performance for security. SD-WAN should be deployed on a platform
that was specifically built for speed.

7.2.2 Rapid deployment:

An integrated, single-pane-of-glass orchestration and management console can ensure that

connections, configurations, advanced routing functionality, and protections are easily
configurable and visible and work together as a single, fully integrated system.

7.2.3 Easy expansion to all edges:

SD-WAN offers much more than just connecting branch offices to cloud services or the core
network. SD-WAN can also run natively in every major public cloud environment, be able to
scale to support large data centers, sit on a WFH desktop, and be deployable to every corner of
the network. This can enable fast and secure connections from anywhere to anywhere, to all
edges: WAN to LAN (SD-Branch), OT, data center, and cloud (SASE).

67