Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Basic SD-WAN configuration

Basic SD-WAN configuration

Still focusing on a single FortiGate device, the SD-WAN configuration includes the following main steps:

  1. SD-WAN Interface Members define your SD-WAN bundle. They are the interfaces controlled by SD-WAN and where the outgoing traffic can be potentially steered. Almost any interface supported by a FortiGate device can become an SD-WAN interface Member, including physical ports, VLAN interfaces, LAGs, IPsec/GRE/IPIP tunnels, and even FortiExtender interfaces.

    For convenience, the SD-WAN Members are grouped into SD-WAN Zones.

    Note

    In a complete SD-WAN Solution, all your WAN-facing underlays and overlays are usually configured as SD-WAN Members (although this is not mandatory!). We will return to this topic in the next chapters.

  2. Performance SLA are the health-check probes used by the FortiGate devices to actively measure the health of each available path. You can define what server to probe and what protocol to use (including Ping, HTTP, TCP/UDP Echo, TWAMP, or DNS). Each probe will measure latency, jitter, and packet loss percentage over a configured subset of the SD-WAN Members.

    In addition, you can configure multiple SLA Targets for each probe. These metrics together allow SD-WAN to compare the health of different available paths and determine which paths are acceptable for a particular application and which are not. Unacceptable paths are sometimes called out of SLA.

  3. SD-WAN Rules finally combine all the elements together. They are the set of business rules which can steer a particular application to a particular SD-WAN Member, considering its current health and SLA status.

Each SD-WAN rule has the following logical parts:

  • Matching Criteria defines what applications or what kind of traffic will match this rule. We can match based on a large variety of inputs, including signature-based L7 Application detection (Application Control Database), dynamic feeds (Internet Service Database or ISDB), multiple User Identity providers, information received from dynamic routing (using Route-Tags), DSCP/ToS fields... and of course, also based on simple L3/L4 criteria!

  • SD-WAN Strategy defines the logic used to select one of the SD-WAN Members to steer this traffic. The following strategies can be configured:

    • Best Quality: select an SD-WAN Member with the best measured quality.
    • Lowest Cost (SLA): select the cheapest SD-WAN Member that meets a given SLA target.
    • Maximize Bandwidth (SLA): load-balance across all SD-WAN Members that meet a given SLA target.
    • Manual: manually specify an SD-WAN Member to select.
Note

The SD-WAN rules probably remind you of Firewall Rules. Indeed, many of the same matching criteria are used, and the SD-WAN rules are also evaluated in the order of their configuration—just like the Firewall Rules. But they serve the following complementary goals:

  • Firewall rules define how to secure a particular application, should a particular path be selected.
  • SD-WAN rules define how to select a particular path for a particular application.

Needless to say, every outgoing session must be permitted by a Firewall Rule, after matching an SD-WAN rule!

Having both rule sets rely on the same inputs (such as Application Control Database, Internet Service Database (ISDB), same User Identity providers, and so on) greatly improves integration between traffic steering and security, making the overall solution consistent.

Once we complete this configuration, our FortiGate device (deployed at the site perimeter) becomes an SD-WAN node and is ready for intelligent traffic steering.

Any new session arriving at the FortiGate from the LAN side is evaluated against the configured SD-WAN rules and steered accordingly. Furthermore, existing sessions can switchover to a different path, should the network health conditions change.

We will soon see how this functionality applies to both underlays and overlays. But before talking about it, see Practical basic SD-WAN examples about a single FortiGate device connected to the public Internet, without any overlay network involved.

Previous
Next

Basic SD-WAN configuration

Still focusing on a single FortiGate device, the SD-WAN configuration includes the following main steps:

  1. SD-WAN Interface Members define your SD-WAN bundle. They are the interfaces controlled by SD-WAN and where the outgoing traffic can be potentially steered. Almost any interface supported by a FortiGate device can become an SD-WAN interface Member, including physical ports, VLAN interfaces, LAGs, IPsec/GRE/IPIP tunnels, and even FortiExtender interfaces.

    For convenience, the SD-WAN Members are grouped into SD-WAN Zones.

    Note

    In a complete SD-WAN Solution, all your WAN-facing underlays and overlays are usually configured as SD-WAN Members (although this is not mandatory!). We will return to this topic in the next chapters.

  2. Performance SLA are the health-check probes used by the FortiGate devices to actively measure the health of each available path. You can define what server to probe and what protocol to use (including Ping, HTTP, TCP/UDP Echo, TWAMP, or DNS). Each probe will measure latency, jitter, and packet loss percentage over a configured subset of the SD-WAN Members.

    In addition, you can configure multiple SLA Targets for each probe. These metrics together allow SD-WAN to compare the health of different available paths and determine which paths are acceptable for a particular application and which are not. Unacceptable paths are sometimes called out of SLA.

  3. SD-WAN Rules finally combine all the elements together. They are the set of business rules which can steer a particular application to a particular SD-WAN Member, considering its current health and SLA status.

Each SD-WAN rule has the following logical parts:

  • Matching Criteria defines what applications or what kind of traffic will match this rule. We can match based on a large variety of inputs, including signature-based L7 Application detection (Application Control Database), dynamic feeds (Internet Service Database or ISDB), multiple User Identity providers, information received from dynamic routing (using Route-Tags), DSCP/ToS fields... and of course, also based on simple L3/L4 criteria!

  • SD-WAN Strategy defines the logic used to select one of the SD-WAN Members to steer this traffic. The following strategies can be configured:

    • Best Quality: select an SD-WAN Member with the best measured quality.
    • Lowest Cost (SLA): select the cheapest SD-WAN Member that meets a given SLA target.
    • Maximize Bandwidth (SLA): load-balance across all SD-WAN Members that meet a given SLA target.
    • Manual: manually specify an SD-WAN Member to select.
Note

The SD-WAN rules probably remind you of Firewall Rules. Indeed, many of the same matching criteria are used, and the SD-WAN rules are also evaluated in the order of their configuration—just like the Firewall Rules. But they serve the following complementary goals:

  • Firewall rules define how to secure a particular application, should a particular path be selected.
  • SD-WAN rules define how to select a particular path for a particular application.

Needless to say, every outgoing session must be permitted by a Firewall Rule, after matching an SD-WAN rule!

Having both rule sets rely on the same inputs (such as Application Control Database, Internet Service Database (ISDB), same User Identity providers, and so on) greatly improves integration between traffic steering and security, making the overall solution consistent.

Once we complete this configuration, our FortiGate device (deployed at the site perimeter) becomes an SD-WAN node and is ready for intelligent traffic steering.

Any new session arriving at the FortiGate from the LAN side is evaluated against the configured SD-WAN rules and steered accordingly. Furthermore, existing sessions can switchover to a different path, should the network health conditions change.

We will soon see how this functionality applies to both underlays and overlays. But before talking about it, see Practical basic SD-WAN examples about a single FortiGate device connected to the public Internet, without any overlay network involved.

Previous
Next