Fortinet black logo

Introduction

7.0.0
Copy Link
Copy Doc ID c7cdc043-e679-11ec-bb32-fa163e15d75b:643203
Download PDF

Introduction

This guide describes how to deploy Secure SD-Branch. It begins with an executive summary followed by a description of the target audience and how this guide fits into the 4D documentation series for SD-WAN technology.

Executive summary

Secure SD-Branch is an extension of SD-WAN to secure the LAN edge in addition to the WAN edge by extending the Next Generation firewall security through the access layer. This convergence of LAN, SD-WAN, and routing into a unified platform with single pane of glass management uses software to simplify the management of the branch. SD-Branch takes the benefits of SD-WAN's ease-of-use and automation and applies them to the LAN.

One paradigm suggests that complexity follows security increases, and attempts to reduce complexity often result in compromised functionality and/or performance. SD-Branch addresses these problems by extending the proven WAN security of the FortiGate to the LAN, then applies dynamic rules to the unified WAN and LAN in a human-friendly format, resulting in an easy to understand and manage, highly secure branch network that enhances user experience by increasing application performance and connectivity.

In a standard SD-Branch setup, FortiGate contains all the intelligence of SD-WAN that will apply to the WAN Edge. It also extends its security to the access layer through the FortiSwitch and FortiAP, which form the LAN edge.

Furthermore, in larger deployments SD-Branch can be scaled out to many branches, and each branch connects back to the headquarter (HQ) hub device for centralized management, logging, and monitoring. While this guide does not cover the central management aspects of SD-Branch, we will demonstrate a topology with scalability in mind.

Example hub and spoke SD-Branch setup:

Audience

This guide is intended for network and security engineers, who want hands-on experience configuring SD-WAN. The guide will help you develop the steps necessary to implement the final SD-Branch solution specific to your business. The contained configurations are examples for retail and office branches, and should be used as a reference when the topology and use case match your needs, and revised where necessary. For scalable deployment, FortiManager offers a systematic approach to deployment and continued management of many branch sites. See the SD-WAN 6.4 Deployment for MSSPs.

It is beneficial to have read the associated design guide for a deeper understanding of the contained configuration, and to be familiar with the devices covered in this guide, such as FortiGate, FortiSwitch, and FortiAP.

About this guide

This guide is the third step in the four-step process of Define, Design, Deploy, and Demo:

  1. The define step describes the business need of extending WAN intelligence, security, and scalable management has been defined.
  2. The design step describes a design that meets these needs by integrating multiple solutions into one unified platform.
  3. The deploy step provides a step by step guide of the configurations necessary to implement the complete solution.

This guide is intended to introduce SD-WAN configuration. The guide provides steps to implement the framework of SD-WAN directly on a FortiGate, but may omit specific steps where readers must make design decisions to further configure their devices. This guide does not detail all of the available features that SD-WAN may provide once implemented, nor does it provide instructions on scaling the deployment to many sites and managing the configuration accordingly. It is beneficial to read the associated design guide for a deeper understanding of the contained configuration. Please refer to the following supporting documentation for further details:

Introduction

This guide describes how to deploy Secure SD-Branch. It begins with an executive summary followed by a description of the target audience and how this guide fits into the 4D documentation series for SD-WAN technology.

Executive summary

Secure SD-Branch is an extension of SD-WAN to secure the LAN edge in addition to the WAN edge by extending the Next Generation firewall security through the access layer. This convergence of LAN, SD-WAN, and routing into a unified platform with single pane of glass management uses software to simplify the management of the branch. SD-Branch takes the benefits of SD-WAN's ease-of-use and automation and applies them to the LAN.

One paradigm suggests that complexity follows security increases, and attempts to reduce complexity often result in compromised functionality and/or performance. SD-Branch addresses these problems by extending the proven WAN security of the FortiGate to the LAN, then applies dynamic rules to the unified WAN and LAN in a human-friendly format, resulting in an easy to understand and manage, highly secure branch network that enhances user experience by increasing application performance and connectivity.

In a standard SD-Branch setup, FortiGate contains all the intelligence of SD-WAN that will apply to the WAN Edge. It also extends its security to the access layer through the FortiSwitch and FortiAP, which form the LAN edge.

Furthermore, in larger deployments SD-Branch can be scaled out to many branches, and each branch connects back to the headquarter (HQ) hub device for centralized management, logging, and monitoring. While this guide does not cover the central management aspects of SD-Branch, we will demonstrate a topology with scalability in mind.

Example hub and spoke SD-Branch setup:

Audience

This guide is intended for network and security engineers, who want hands-on experience configuring SD-WAN. The guide will help you develop the steps necessary to implement the final SD-Branch solution specific to your business. The contained configurations are examples for retail and office branches, and should be used as a reference when the topology and use case match your needs, and revised where necessary. For scalable deployment, FortiManager offers a systematic approach to deployment and continued management of many branch sites. See the SD-WAN 6.4 Deployment for MSSPs.

It is beneficial to have read the associated design guide for a deeper understanding of the contained configuration, and to be familiar with the devices covered in this guide, such as FortiGate, FortiSwitch, and FortiAP.

About this guide

This guide is the third step in the four-step process of Define, Design, Deploy, and Demo:

  1. The define step describes the business need of extending WAN intelligence, security, and scalable management has been defined.
  2. The design step describes a design that meets these needs by integrating multiple solutions into one unified platform.
  3. The deploy step provides a step by step guide of the configurations necessary to implement the complete solution.

This guide is intended to introduce SD-WAN configuration. The guide provides steps to implement the framework of SD-WAN directly on a FortiGate, but may omit specific steps where readers must make design decisions to further configure their devices. This guide does not detail all of the available features that SD-WAN may provide once implemented, nor does it provide instructions on scaling the deployment to many sites and managing the configuration accordingly. It is beneficial to read the associated design guide for a deeper understanding of the contained configuration. Please refer to the following supporting documentation for further details: