SD-WAN

SD-WAN is a virtual interface that consists of a group of member interfaces that can be
connected to different link types. all physical member interfaces into a single virtual interface,
which is the SD-WAN interface. SDWAN simplifies your network configuration because you
configure a single set of routes and firewall policies and apply
them to all member interfaces. You also configure various types of criteria that uses to select the
best
links for your network traffic.
One of the main motivators for deploying SD-WAN is effective WAN use with multiple WAN
links, where you can use
various load balancing algorithms, such as bandwidth usage, sessions, and application-aware
routing, to ensure high
availability for your business-critical applications.

What you need to know about the secure sd wan.

Greater security
With growing concerns about security, particularly with the rise of IoT, cloud and
data aggregation, SDN can deliver greater security. Instead of relying on
endpoint security or inspection at the network perimeter, SDN controllers make
decisions about how and where to forward traffic on a packet-by-packet or flow-
by-flow basis, which means they are far more responsive to changes in traffic
patterns throughout an organization.

Better application experience

Along with security, one of the primary advantages of SDN is the ability to shape
and control traffic on an application-by-application and flow-by-flow basis,
improving networking responsiveness and delivering a better user experience.
Centralized provisioning
Decoupling the decision-making process from the underlying hardware and
moving it to a controller makes it easier to gain a centralized view of the network.
By abstracting the control and data planes, SDN can also accelerate and simplify
the delivery of new services—not just across the network, but across all virtual
infrastructure from a single location.

Greater flexibility and agility

A centralized controller makes a network more agile and facilitates more rapid
change. The fact that the controller is programmable also provides a quantum
leap in the degree of flexibility, allowing organizations to create networks that
meet their exact application and business requirements.

While network virtualization and SDN are relatively new technologies,

International Data Corporation (IDC) predicts the SDN market will continue to
grow at 25% year-on-year to 2021, and now considers that SDN is emerging out
of the early adopter and into the early mainstream stage of its development.

In today’s increasingly competitive environment where flexibility and agility are

critical, these benefits are the minimum expected by organizations. But they rely
on the underlying infrastructure being under the administrative control of the
organization. So what happens when they’re not, which is the case for modern
Wide Area Networks (WANs) that are controlled by the entities delivering the
services?
 Configuring SD-WAN
There are many different deployments for Secure SD-WAN, depending on your organization’s
network and the
solution that you want to deploy.

SD-WAN requirements
Secure SD-WAN solution has the following requirements:
l Allows only one SD-WAN interface for each VDOM
l Supports SD-WAN configuration for IPv6 in the CLI
l Supports up to 4000 link health monitors, both globally and per VDOM
l Supports up to 4000 SD-WAN rules, both globally and per VDOM
Overall, the components that make up the Fortinet Secure SD-WAN solution are: FortiGate,
FortiManager, FortiAnalyzer, and FortiDeploy.

basic SD-WAN deployment

What are the key requirements for a successful SD-WAN deployment?

There are four pillars of a successful SD-WAN deployment that need to be clearly
understood at the beginning of a project:
 Business critical applications, their requirements and dependencies.
 Security requirements.
 Site connectivity and the relative priority of each location.
 Circuit cost and availability.

Configuring a basic SD-WAN deployment

A basic SD-WAN deployment uses static routing and the WAN interfaces on the FortiGate. One
possible use for a basic
SD-WAN deployment to configure redundant Internet connectivity for your network. This
allows you to load balance your
Internet traffic between multiple ISP links and provides redundancy for your network’s Internet
connection when your
primary ISP is unavailable.
To configure a basic SD-WAN deployment, complete the following steps:
l Removing existing configuration references to interfaces
l Creating SD-WAN interfaces
l Configuring SD-WAN load balancing
l Creating a static route for the SD-WAN interface
l Configuring security policies for SD-WAN
l Configuring link health monitoring
l Configuring SD-WAN rules
Removing existing configuration references to interfaces
Remove or redirect any existing configuration references to interfaces that you want to use as
SD-WAN members. This
includes the default Internet access policy that’s included with many FortiGate models. You
must do this before you configure the interfaces as SD-WAN members.
Redirecting the routes and policies to reference other interfaces avoids your having to create
them again later. After you configure SD-WAN, you can reconfigure the routes and policies to
reference the SD-WAN interface.

Remove interface references in routes – GUI

1. Go to Network > Static Routes.
2. Select each route that references the ports that you want to use for the SD-WAN interface.
3. Select Delete.
4. Select OK.
Remove interface references in routes – CLI
config router static
delete <sequence_number>
end
where <sequence_number> is the sequence number of the static route that you want to delete.
Remove interface references in security policies – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Select each policy that references the ports that you want to use for the SD-WAN interface.
3. Select Delete.
4. Select OK.

Remove interface references in security policies – CLI

config firewall policy
delete <policy_id>
end
where <policy_id> is the ID number of the policy that you want to delete.

Creating SD-WAN interfaces

Specify at least two SD-WAN member interfaces and their associated gateways.
Create SD-WAN interface – GUI
1. Go to Network > SD-WAN.
2. In the SD-WAN section, set the Status field to Enable.
3. In the SD-WAN Interface Members section, select +. Select the down arrow to open the
drop-down menu. Select
the first port that you want to add to the SD-WAN interface.
4. In the Gateway field, enter the default gateway for this interface.
5. Ensure that the Status field is set to Enable.
6. Repeat steps 3 to 5 to add the remaining SD-WAN member interfaces.
7. Select Apply.
8. Select Network > Interfaces to verify that the virtual interface for SD-WAN appears in the
interface list. In the SDWAN Interface section, the SD-WAN interface is listed. Select – to view
the ports that are included in this interface.
Create SD-WAN interface – CLI
config system virtual-wan-link
set status enable
config members
edit <sequence_number>
set interface <interface_name>
set {gateway | gateway6} <ip_address>
next
edit <sequence_number>
set interface <interface_name>
set {gateway | gateway6} <ip_address>
next
end
end

Configuring SD-WAN load balancing

Specify the SD-WAN load balancing method that you want the FortiGate to use for all Internet
traffic between SD-WAN interface members.

Specify the SD-WAN load balancing method – GUI

1. Go to Network > SD-WAN Rules.
2. Select the rule named sd-wan and select Edit.
The load balancing options are displayed.
3. In the Load Balancing Algorithm field, select one of the following options:
steps

4. Click OK.

Specify the SD-WAN load balancing method – CLI

config system virtual-wan-link
set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ipbased |
measured-volume-based}
end
Where you set one of the following options:
Creating a static route for the SD-WAN interface
After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to
the interface list. You can
create routes using this SD-WAN interface.
You must configure a default route for the SD-WAN interface. You don’t need to configure a
gateway address for the
default route that uses the SD-WAN interface because the FortiGate forwards packets to the
appropriate gateway based
on the SD-WAN member interface gateway information.

Create a static route for SD-WAN – GUI

1. Go to Network > Static Routes.
2. Select Create New.
3. In the Destination field, select Subnet and leave the destination IP address and subnet mask
as 0.0.0.0/0.0.0.0.
4. In the Interface field, select the SD-WAN interface from the drop-down menu.
5. Ensure that the Status field is set to Enable.
6. Select OK.
If you previously removed or redirected existing references in routes to interfaces that you
wanted to add as SD-WAN
interface members, you can now reconfigure those routes to reference the SD-WAN interface.
Create a static route for SD-WAN – CLI
config router {static | static6}
edit <sequence_number>
set virtual-wan-link enable
next
end
Configuring security policies for SD-WAN

After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to
the interface list. You can
create security policies using this SD-WAN interface.
You must configure a security policy that allows traffic from your organization’s internal
network to the SD-WAN
interface. You don’t need to configure multiple security policies for individual SD-WAN
member interfaces because
security policies that you configure with the SD-WAN interface apply to all SD-WAN member
interfaces.
Configure security policies for SD-WAN – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New.
3. In the Name field, enter a name for the policy.
4. Set Incoming Interface to the interface that connects to your organization’s internal network.
5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
6. In the Source field, select +. In the Select Entries window, select all. Select Close.
7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
8. In the Schedule field, select always from the drop-down menu.
9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
10. In the Action field, select ACCEPT.
11. In the Firewall/Network Options section, set the following:
l Enable NAT.
l In the IP Pool Configuration field, select Use Outgoing Interface Address.
12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application
Control, and SSL
Inspection profiles, as required.
13. In the Logging Options section, set the following:
l Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results later.
l Enable the Enable this policy option.
14. Select OK.
If you previously removed or redirected existing references in security policies to interfaces that
you wanted to add as
SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN
interface
Configure security policies for SD-WAN – CLI
config firewall {policy | policy6}
edit <policy_id>
set name <policy_name>
set srcintf <interface_name>
set dstintf virtual-wan-link
set srcaddr <address_name>
set dstaddr <address_name>
set action accept
set status enable
set schedule <schedule_name>
set service <service_name>
set utm-status enable
set logtraffic all
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set ssl-ssh-profile <profile_name>
set nat enable
set ippool enable
set poolname <pool_name>
next
end
where:
l virtual-wan-link is the SD-WAN interface
l dnsfilter-profile option isn't available for IPv6, since IPv6 isn't supported for DNS profiles

Configuring SD-WAN rules

You can use SD-WAN rules to specify which traffic you want to route through which interface
(ISP). This gives you great
flexibility when you configure how you want the FortiGate to route traffic. For example, you can
route Netflix traffic from
specific authenticated users through one ISP and route the rest of your Internet traffic through
another ISP.
You can configure the rules to use various parameters to match traffic, including source and
destination IP addresses,
destination port numbers, and ISDB address objects.
When the FortiGate matches traffic to a rule, that rule determines which egress interface the
traffic takes. You can
configure SD-WAN rules to use one of the following strategies to determine the egress interface:
l Best quality
l Minimum quality (SLA)
The FortiGate evaluates SD-WAN rules from top to bottom, using the first match. SD-WAN
rules are treated as policy
routes and take precedence over other routes in the routing table.
If none of the conditions for the SD-WAN rules are met, the FortiGate uses the implicit rule,
called sd-wan, that’s automatically generated when you enable SD-WAN. The sd-wan rule
balances traffic based on how you configured SDWAN load balancing

Monitoring SD-WAN
You can use SD-WAN diagnostics to maintain an efficient and effective SD-WAN solution.
Monitoring SD-WAN link usage
The SD-WAN usage monitor shows traffic distribution between SD-WAN member interfaces in
real time. You can view
traffic distribution by bandwidth, volume, and sessions.
Monitor SD-WAN link usage - GUI
1. Go to Network > SD-WAN.
2. In the SD-WAN Usage section, select one of the following options to view SD-WAN traffic
distribution between the member interfaces:
l Bandwidth: Shows traffic distribution percentage of the bandwidth that each interface is using
l Volume: Shows traffic distribution percentage of the volume of sessions for each interface
l Sessions: Shows traffic distribution percentage of the number of sessions for each interface
3. Select Apply.
Monitoring SD-WAN traffic routing
You can see which applications are going through which destination interface in FortiView.
Monitor SD-WAN traffic routing – GUI
1. Go to FortiView > All Sessions.
2. View the information in the Destination Interface column.
Monitoring SD-WAN link quality status
You should monitor the link quality status of SD-WAN member interfaces, since link quality
plays a significant role in link
selection for SD-WAN. Investigate any prolonged issues with packet loss, latency, and jitter to
ensure that your network
doesn’t experience degraded performance or an outage.
Monitor SD-WAN link quality status - GUI
1. Go to Network > Performance SLA.
2. Monitor the information in the Packet Loss, Latency, and Jitter columns for each SLA.
The page displays arrows indicating the status of SD-WAN member interfaces. A green arrow
indicates that the interface
was active and a red arrow indicates that the interface was inactive when the FortiGate
performed the status checks.
The page also shows measurements for packet loss,
Monitoring system event logs
A FortiGate generates system event logs when an SD-WAN member interface route is added to
or removed from the
routing table. You can use system events to investigate any route failovers.
Monitor system event logs – GUI
1. Go to Log & Report > System Events.
2. Use information in system event logs related to SD-WAN to investigate issues.
Verifying SD-WAN traffic routing
You can verify that traffic is exiting the FortiGate through the SD-WAN member
interfaces as configured.
Verify SD-WAN traffic routing - GUI
1. Go to Log & Report > Forward Traffic.
2. Use information in the Destination Interface column to verify that traffic is routing correctly

Applying traffic shaping to SD-WAN traffic

You can apply traffic shaping to SD-WAN traffic.
If an application is necessary but you need to prevent it from impacting bandwidth, you can
apply a bandwidth limit to the
application instead of blocking it entirely. For example, you can limit applications used for
storage and backup and leave
enough bandwidth for more sensitive applications, such as video conferencing.

Viewing SD-WAN information in the Fortinet Security Fabric

You can view SD-WAN information for FortiGate devices that belong to a Security Fabric in the
Physical and Logical
topology views on upstream FortiGate devices. This allows you to see which FortiGate devices
have SD-WAN links
enabled and other basic SD-WAN information without having to log in to each FortiGate device.
View SD-WAN information in the Security Fabric – GUI
1. Go to one of the following:
l Security Fabric > Physical Topology
l Security Fabric > Logical Topology
2. Click a FortiGate device to see whether it has SD-WAN links enabled and view basic SD-
WAN information.

High availability
The basic high availability (HA) problem for TCP/IP networks and security gateways is keeping
network traffic flowing.
Uninterrupted traffic flow is a critical component for online systems and media because critical
business processes
quickly come to a halt when the network is down.
The security gateway is a crucial component of most networks since all traffic passes through it.
A standalone network
security gateway is a single point of failure that is vulnerable to any number of software or
hardware problems that could compromise the device and bring all traffic on the network to a
halt.
When configured onto your network an FGCP cluster appears to be a single FortiGate operating
in NAT or transparent
mode and configuration synchronization allows you to configure a cluster in the same way as a
standalone FortiGate. If a
failover occurs, the cluster recovers quickly and automatically and also sends administrator
notifications so that the problem that caused the failure can be corrected and any failed
equipment restored.
If one of the FortiGates fails, session failover occurs and active sessions fail over to the unit that
is still operating. This
failover occurs without any loss of data. As well, the external load balancers or routers detect the
failover and redistribute all sessions to the unit that is still operating.
Load balancing and session failover is done by external routers or load balancers and not by the
FGSP. The FortiGates
just perform session synchronization which allows session failover to occur without packet loss.

Firewall concepts
There are a number of foundational concepts that are necessary to have a grasp of before delving
into the details of how
the FortiGate firewall works. Some of these concepts are consistent throughout the firewall
industry and some of them
are specific to more advanced firewalls such as the FortiGate. Having a solid grasp of these ideas
and terms can give
you a better idea of what your FortiGate firewall is capable of and how it will be able to fit
within your networks architecture.
What is a firewall?

A firewall can either be software-based or hardware-based and is used to help keep a network
secure. Its primary objective is to control the incoming and outgoing network traffic by
analyzing the data packets and determining whether it should be allowed through or not, based
on a predetermined rule set. A network's firewall builds a bridge between an
internal network that is assumed to be secure and trusted, and another network, usually an
external (inter)network, such as the Internet, that is not assumed to be secure and trusted.
There can also be a number of instructions associated with a FortiGate firewall in addition to the
ACCEPT or DENY
actions, some of which are optional. Instructions on how to process the traffic can also include
such things as:
l Logging Traffic
l Authentication
l Network Address Translation or Port Address Translation
l Use Virtual IPs or IP Pools
l Caching
l Whether the source of the traffic is based on address, user, device or a combination
l Whether to treat as regular traffic or IPsec traffic
l What certificates to use
l Security profiles to apply
l Proxy Options
l Traffic Shaping

Types of firewalls
Next-generation firewalls (NGFW)
Proxy firewalls
Network address translation (NAT) firewalls
Stateful multilayer inspection (SMLI) firewalls