Fortinet black logo

SD-WAN Architecture for Enterprise

SD-WAN considerations

7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:625108
Download PDF

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

All overlay interfaces to the single Datacenter location

Overlays should be grouped by device and location

Health check server: Business critical applications and resources

Dependent on business intention and availability requirements.

References the SD-WAN zone(s) and appropriate security inspection

Example: overlay1_wan1, overlay2_wan2

Example: Datacenter (overlay1_wan1, overlay2_wan2)

Example: Health-check: Datacenter_Server

Members: overlay1_wan1, overlay2_wan2

Example: Destination: Datacenter_LAN

Steering Strategy: Lowest Quality SLA

Example: Source: Branch_LAN

Destination: Datacenter_LAN

Destination Interface: Datacenter

Security Inspection: Branch_Group

Additional details

  • SD-WAN members:
    • Each overlay will be an SD-WAN member
    • If one member or WAN is preferred over another, assign a lower cost to the preferred interface, which can be used later by means of a Lowest Cost SLA SD-WAN rule.
  • SD-WAN zone:
    • Zones should be grouped by device and location. For example, in the design for single datacenter with an active-passive gateway (see Single datacenter (active-passive gateway)), all overlays to the gateway can share a single Zone.
    • In active-passive designs, all overlays will terminate to a single, active device. As a result, no additional considerations are necessary.
  • Performance SLA:
    • The health-check destination IP address should be strategically pointed to locations where the business application or workload is located.
    • Loopbacks on the gateway can also be created to serve as a health check server.
  • SD-WAN rules
    • The appropriate route must be in the routing table in order for an SD-WAN rule to be active. If the route is not installed correctly or misconfigured, the SD-WAN rule will be considered inactive and skipped.
    • Branch to corporate traffic (datacenter or other branch locations) should contain all available overlays and their appropriate SLA.
    • Since corporate traffic is typically known, it is often preferred to match destination by the object or route-tag as opposed to application or internet service.
  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

All overlay interfaces to the single Datacenter location

Overlays should be grouped by device and location

Health check server: Business critical applications and resources

Dependent on business intention and availability requirements.

References the SD-WAN zone(s) and appropriate security inspection

Example: overlay1_wan1, overlay2_wan2

Example: Datacenter (overlay1_wan1, overlay2_wan2)

Example: Health-check: Datacenter_Server

Members: overlay1_wan1, overlay2_wan2

Example: Destination: Datacenter_LAN

Steering Strategy: Lowest Quality SLA

Example: Source: Branch_LAN

Destination: Datacenter_LAN

Destination Interface: Datacenter

Security Inspection: Branch_Group

Additional details

  • SD-WAN members:
    • Each overlay will be an SD-WAN member
    • If one member or WAN is preferred over another, assign a lower cost to the preferred interface, which can be used later by means of a Lowest Cost SLA SD-WAN rule.
  • SD-WAN zone:
    • Zones should be grouped by device and location. For example, in the design for single datacenter with an active-passive gateway (see Single datacenter (active-passive gateway)), all overlays to the gateway can share a single Zone.
    • In active-passive designs, all overlays will terminate to a single, active device. As a result, no additional considerations are necessary.
  • Performance SLA:
    • The health-check destination IP address should be strategically pointed to locations where the business application or workload is located.
    • Loopbacks on the gateway can also be created to serve as a health check server.
  • SD-WAN rules
    • The appropriate route must be in the routing table in order for an SD-WAN rule to be active. If the route is not installed correctly or misconfigured, the SD-WAN rule will be considered inactive and skipped.
    • Branch to corporate traffic (datacenter or other branch locations) should contain all available overlays and their appropriate SLA.
    • Since corporate traffic is typically known, it is often preferred to match destination by the object or route-tag as opposed to application or internet service.
  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.