Professional Documents
Culture Documents
SD-WAN is a virtual interface that consists of a group of member interfaces that can be
connected to different link types. all physical member interfaces into a single virtual interface,
which is the SD-WAN interface. SDWAN simplifies your network configuration because you
configure a single set of routes and firewall policies and apply
them to all member interfaces. You also configure various types of criteria that uses to select the
best
links for your network traffic.
One of the main motivators for deploying SD-WAN is effective WAN use with multiple WAN
links, where you can use
various load balancing algorithms, such as bandwidth usage, sessions, and application-aware
routing, to ensure high
availability for your business-critical applications.
SD-WAN requirements
Secure SD-WAN solution has the following requirements:
l Allows only one SD-WAN interface for each VDOM
l Supports SD-WAN configuration for IPv6 in the CLI
l Supports up to 4000 link health monitors, both globally and per VDOM
l Supports up to 4000 SD-WAN rules, both globally and per VDOM
Overall, the components that make up the Fortinet Secure SD-WAN solution are: FortiGate,
FortiManager, FortiAnalyzer, and FortiDeploy.
There are four pillars of a successful SD-WAN deployment that need to be clearly
understood at the beginning of a project:
Business critical applications, their requirements and dependencies.
Security requirements.
Site connectivity and the relative priority of each location.
Circuit cost and availability.
4. Click OK.
After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to
the interface list. You can
create security policies using this SD-WAN interface.
You must configure a security policy that allows traffic from your organization’s internal
network to the SD-WAN
interface. You don’t need to configure multiple security policies for individual SD-WAN
member interfaces because
security policies that you configure with the SD-WAN interface apply to all SD-WAN member
interfaces.
Configure security policies for SD-WAN – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New.
3. In the Name field, enter a name for the policy.
4. Set Incoming Interface to the interface that connects to your organization’s internal network.
5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
6. In the Source field, select +. In the Select Entries window, select all. Select Close.
7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
8. In the Schedule field, select always from the drop-down menu.
9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
10. In the Action field, select ACCEPT.
11. In the Firewall/Network Options section, set the following:
l Enable NAT.
l In the IP Pool Configuration field, select Use Outgoing Interface Address.
12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application
Control, and SSL
Inspection profiles, as required.
13. In the Logging Options section, set the following:
l Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results later.
l Enable the Enable this policy option.
14. Select OK.
If you previously removed or redirected existing references in security policies to interfaces that
you wanted to add as
SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN
interface
Configure security policies for SD-WAN – CLI
config firewall {policy | policy6}
edit <policy_id>
set name <policy_name>
set srcintf <interface_name>
set dstintf virtual-wan-link
set srcaddr <address_name>
set dstaddr <address_name>
set action accept
set status enable
set schedule <schedule_name>
set service <service_name>
set utm-status enable
set logtraffic all
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set ssl-ssh-profile <profile_name>
set nat enable
set ippool enable
set poolname <pool_name>
next
end
where:
l virtual-wan-link is the SD-WAN interface
l dnsfilter-profile option isn't available for IPv6, since IPv6 isn't supported for DNS profiles
Monitoring SD-WAN
You can use SD-WAN diagnostics to maintain an efficient and effective SD-WAN solution.
Monitoring SD-WAN link usage
The SD-WAN usage monitor shows traffic distribution between SD-WAN member interfaces in
real time. You can view
traffic distribution by bandwidth, volume, and sessions.
Monitor SD-WAN link usage - GUI
1. Go to Network > SD-WAN.
2. In the SD-WAN Usage section, select one of the following options to view SD-WAN traffic
distribution between the member interfaces:
l Bandwidth: Shows traffic distribution percentage of the bandwidth that each interface is using
l Volume: Shows traffic distribution percentage of the volume of sessions for each interface
l Sessions: Shows traffic distribution percentage of the number of sessions for each interface
3. Select Apply.
Monitoring SD-WAN traffic routing
You can see which applications are going through which destination interface in FortiView.
Monitor SD-WAN traffic routing – GUI
1. Go to FortiView > All Sessions.
2. View the information in the Destination Interface column.
Monitoring SD-WAN link quality status
You should monitor the link quality status of SD-WAN member interfaces, since link quality
plays a significant role in link
selection for SD-WAN. Investigate any prolonged issues with packet loss, latency, and jitter to
ensure that your network
doesn’t experience degraded performance or an outage.
Monitor SD-WAN link quality status - GUI
1. Go to Network > Performance SLA.
2. Monitor the information in the Packet Loss, Latency, and Jitter columns for each SLA.
The page displays arrows indicating the status of SD-WAN member interfaces. A green arrow
indicates that the interface
was active and a red arrow indicates that the interface was inactive when the FortiGate
performed the status checks.
The page also shows measurements for packet loss,
Monitoring system event logs
A FortiGate generates system event logs when an SD-WAN member interface route is added to
or removed from the
routing table. You can use system events to investigate any route failovers.
Monitor system event logs – GUI
1. Go to Log & Report > System Events.
2. Use information in system event logs related to SD-WAN to investigate issues.
Verifying SD-WAN traffic routing
You can verify that traffic is exiting the FortiGate through the SD-WAN member
interfaces as configured.
Verify SD-WAN traffic routing - GUI
1. Go to Log & Report > Forward Traffic.
2. Use information in the Destination Interface column to verify that traffic is routing correctly
High availability
The basic high availability (HA) problem for TCP/IP networks and security gateways is keeping
network traffic flowing.
Uninterrupted traffic flow is a critical component for online systems and media because critical
business processes
quickly come to a halt when the network is down.
The security gateway is a crucial component of most networks since all traffic passes through it.
A standalone network
security gateway is a single point of failure that is vulnerable to any number of software or
hardware problems that could compromise the device and bring all traffic on the network to a
halt.
When configured onto your network an FGCP cluster appears to be a single FortiGate operating
in NAT or transparent
mode and configuration synchronization allows you to configure a cluster in the same way as a
standalone FortiGate. If a
failover occurs, the cluster recovers quickly and automatically and also sends administrator
notifications so that the problem that caused the failure can be corrected and any failed
equipment restored.
If one of the FortiGates fails, session failover occurs and active sessions fail over to the unit that
is still operating. This
failover occurs without any loss of data. As well, the external load balancers or routers detect the
failover and redistribute all sessions to the unit that is still operating.
Load balancing and session failover is done by external routers or load balancers and not by the
FGSP. The FortiGates
just perform session synchronization which allows session failover to occur without packet loss.
Firewall concepts
There are a number of foundational concepts that are necessary to have a grasp of before delving
into the details of how
the FortiGate firewall works. Some of these concepts are consistent throughout the firewall
industry and some of them
are specific to more advanced firewalls such as the FortiGate. Having a solid grasp of these ideas
and terms can give
you a better idea of what your FortiGate firewall is capable of and how it will be able to fit
within your networks architecture.
What is a firewall?
A firewall can either be software-based or hardware-based and is used to help keep a network
secure. Its primary objective is to control the incoming and outgoing network traffic by
analyzing the data packets and determining whether it should be allowed through or not, based
on a predetermined rule set. A network's firewall builds a bridge between an
internal network that is assumed to be secure and trusted, and another network, usually an
external (inter)network, such as the Internet, that is not assumed to be secure and trusted.
There can also be a number of instructions associated with a FortiGate firewall in addition to the
ACCEPT or DENY
actions, some of which are optional. Instructions on how to process the traffic can also include
such things as:
l Logging Traffic
l Authentication
l Network Address Translation or Port Address Translation
l Use Virtual IPs or IP Pools
l Caching
l Whether the source of the traffic is based on address, user, device or a combination
l Whether to treat as regular traffic or IPsec traffic
l What certificates to use
l Security profiles to apply
l Proxy Options
l Traffic Shaping
Types of firewalls
Next-generation firewalls (NGFW)
Proxy firewalls
Network address translation (NAT) firewalls
Stateful multilayer inspection (SMLI) firewalls