Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Shortcut management

    Shortcut management

    As in any Hub-and-Spoke topology, Spokes have virtually no knowledge about each other, as long as there is no traffic flow between them. When user traffic starts flowing between a pair of Spokes, initially it flows through the Hub(s).

    But it also triggers the Discovery process. The two Spokes exchange information between them, and the originating Spoke learns the topology of the remote Spoke, including the transport groups and the current health status of its WAN connections. The Path Selection mechanism can then trigger an optimal shortcut between the two Spokes, combining the following pieces of information:

    • The local WAN connections, their transport group IDs, and current health status (as measured by the local Spoke probing its Hub)

    • The remote WAN connections, their transport group IDs, and current health status (as measured by the remote Spoke probing its Hub)

    • The local SD-WAN Rule matched by the user traffic, dictating the desired steering strategy and other parameters

    For example, consider two SD-WAN sites, each having an Internet connection and an MPLS connection:

    As the above diagram shows, the Internet link on the remote Spoke is currently out of service (or out of SLA). This information is communicated to the originating Spoke during the Discovery process. As a result, the originating Spoke cannot trigger a shortcut within transport group 1, even though this would be preferred by the matched SD-WAN Rule. Hence, the Path Selection mechanism makes a decision to trigger the MPLS shortcut, within transport group 2.

    After the first shortcut is triggered, Health Updates will be periodically sent over it, updating the previously exchanged information as necessary. Also, as explained in the previous section, a more accurate end-to-end health status will be now measured over the shortcut, adding another piece of information to the Path Selection intelligence. This may cause the originating Spoke to trigger another shortcut, if and when it is deemed optimal.

    In our example, when the Internet link becomes available (and healthy), the originating Spoke can trigger a new Internet shortcut, within transport group 1, to respect the preference expressed in the matched SD-WAN Rule:

    The Health Updates continue to be exchanged, and the Path Selection mechanism continues to revisit its choices, as long as at least one shortcut remains active between the two Spokes. When the user traffic between the two Spokes stops, all the shortcuts will be eventually torn down (based on an idle timeout), and the Spokes will flush all the information previously learned about each other, effectively returning back to the initial state.

    Previous
    Next

    Shortcut management

    Shortcut management

    As in any Hub-and-Spoke topology, Spokes have virtually no knowledge about each other, as long as there is no traffic flow between them. When user traffic starts flowing between a pair of Spokes, initially it flows through the Hub(s).

    But it also triggers the Discovery process. The two Spokes exchange information between them, and the originating Spoke learns the topology of the remote Spoke, including the transport groups and the current health status of its WAN connections. The Path Selection mechanism can then trigger an optimal shortcut between the two Spokes, combining the following pieces of information:

    • The local WAN connections, their transport group IDs, and current health status (as measured by the local Spoke probing its Hub)

    • The remote WAN connections, their transport group IDs, and current health status (as measured by the remote Spoke probing its Hub)

    • The local SD-WAN Rule matched by the user traffic, dictating the desired steering strategy and other parameters

    For example, consider two SD-WAN sites, each having an Internet connection and an MPLS connection:

    As the above diagram shows, the Internet link on the remote Spoke is currently out of service (or out of SLA). This information is communicated to the originating Spoke during the Discovery process. As a result, the originating Spoke cannot trigger a shortcut within transport group 1, even though this would be preferred by the matched SD-WAN Rule. Hence, the Path Selection mechanism makes a decision to trigger the MPLS shortcut, within transport group 2.

    After the first shortcut is triggered, Health Updates will be periodically sent over it, updating the previously exchanged information as necessary. Also, as explained in the previous section, a more accurate end-to-end health status will be now measured over the shortcut, adding another piece of information to the Path Selection intelligence. This may cause the originating Spoke to trigger another shortcut, if and when it is deemed optimal.

    In our example, when the Internet link becomes available (and healthy), the originating Spoke can trigger a new Internet shortcut, within transport group 1, to respect the preference expressed in the matched SD-WAN Rule:

    The Health Updates continue to be exchanged, and the Path Selection mechanism continues to revisit its choices, as long as at least one shortcut remains active between the two Spokes. When the user traffic between the two Spokes stops, all the shortcuts will be eventually torn down (based on an idle timeout), and the Spokes will flush all the information previously learned about each other, effectively returning back to the initial state.

    Previous
    Next