Fortinet Secure SD-WAN: Usage, Configuration, and Case Scenario

Fortinet Secure SD-WAN enables organizations to enhance application performance and reduce WAN costs by utilizing multiple WAN links and dynamically steering traffic across those links. It also provides comprehensive security features to protect the network from threats. This blog post will cover the usage, configuration, and case scenarios for Fortinet Secure SD-WAN.

What is Fortinet Secure SD-WAN?

Fortinet Secure SD-WAN is a comprehensive solution that combines SD-WAN functionality with next-generation firewall (NGFW) security, advanced routing, and zero-trust network access (ZTNA) application gateway functions. It is designed to provide a secure and efficient way to connect branch offices to the internet and to each other 1.

Fortinet Secure SD-WAN is built on the FortiGate next-generation firewall, which provides a wide range of security features, including:

• Intrusion prevention system (IPS)

• Anti-malware

• Web filtering

• Application control

• Data loss prevention (DLP)

Fortinet Secure SD-WAN is part of the Fortinet Security Fabric, a comprehensive security platform that provides broad visibility, integration, and automation 2. This integration allows for centralized management and a unified security posture across the entire network.

One of the key advantages of Fortinet Secure SD-WAN is its controllerless-based architecture 1. This architecture provides benefits such as simplified management, increased scalability, and improved reliability. Unlike traditional SD-WAN solutions that rely on a central controller, Fortinet Secure SD-WAN allows each FortiGate device to operate independently, ensuring continued operation even if connectivity to the central management platform is lost.

Fortinet Secure SD-WAN is available in diverse form factors, including hardware appliances, virtual machines, and six different cloud marketplaces 3. This flexibility makes it easy to deploy in a variety of environments, from on-premises data centers to public clouds.

In addition to the security features mentioned above, Fortinet Secure SD-WAN includes a wide range of advanced security capabilities, such as:

• Antispam

• Antivirus

• DNS security

• Industrial security

• Intrusion prevention

• Mobile security

• Sandboxing

• Security rating

• URL filtering 4

These comprehensive security features ensure that your network is protected from the latest threats, regardless of the type of WAN connection being used.

Fortinet Secure SD-WAN uses dynamic application steering to select the best WAN link for each application based on factors such as latency, jitter, and packet loss 1. This ensures that applications always have the best possible performance, even when using less expensive internet links.

How to Configure Fortinet Secure SD-WAN

Configuring Fortinet Secure SD-WAN can be done through the FortiGate web interface or CLI. The following are the basic steps involved in configuring Fortinet Secure SD-WAN:

1. Enable SD-WAN: The first step is to enable SD-WAN on the FortiGate. This can be done by going to Network > SD-WAN and setting the Status to Enable.

2. Configure SD-WAN Zones: SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as source and destination interfaces. You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. Routing can be configured per zone 5.

3. Configure SD-WAN members: SD-WAN members are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function 5. To configure SD-WAN members, go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member 6. Configure the following settings:

4. Interface: Select the interface that you want to use as an SD-WAN member.

5. SD-WAN Zone: Select the SD-WAN zone to which the member belongs.

6. Gateway: The IP address of the gateway for the SD-WAN member.

7. Cost: The cost of the SD-WAN member. This is used by the SD-WAN to determine which member to use for traffic.

8. Status: The status of the SD-WAN member.

9. Configure performance SLAs: Performance SLAs are used to monitor member interface link quality and to detect link failures. When the SLA falls below a configured threshold, the route can be removed, and traffic can be steered to different links in the SD-WAN rule 5. SLA health-checks use active or passive probing:

10. Active probing requires manually defining the server to be probed and generates consistent probing traffic.

11. Passive probing uses active sessions that are passing through firewall policies used by the related SD-WAN interfaces to derive health measurements. It reduces the amount of configuration and eliminates probing traffic. To configure performance SLAs, go to Network > SD-WAN > Performance SLA and click on Create New. Configure the following settings:

12. Name: The name of the performance SLA.

13. Protocol: The protocol to use for the performance SLA.

14. Server: The IP address or hostname of the server to use for the performance SLA.

15. Target: The target values for the performance SLA.

16. Configure SD-WAN rules: SD-WAN rules control path selection. Specific traffic can be dynamically sent to the best link or use a specific route. Rules control the strategy that the FortiGate uses when selecting the outbound traffic interface, the SLAs that are monitored when selecting the outgoing interface, and the criteria for selecting the traffic that adheres to the rule 5. When no SD-WAN rules match the traffic, the implicit rule applies. To configure SD-WAN rules, go to Network > SD-WAN > SD-WAN Rules and click on Create New. Configure the following settings:

17. Name: The name of the SD-WAN rule.

18. Source address: The source IP address or address group for the SD-WAN rule.

19. Destination address: The destination IP address or address group for the SD-WAN rule.

20. Service: The service or service group for the SD-WAN rule.

21. Strategy: The strategy to use for the SD-WAN rule. The following strategies can be configured 7:

| Strategy | Description |

Works cited

1. Secure SD-WAN solution | FortiGate / FortiOS 7.2.0 | Fortinet ..., accessed on February 12, 2025, https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-architecture-for-enterprise/86084/secure-sd-wan-solution

2. Fortinet Security POC: SD-WAN & SD-Branch - WWT, accessed on February 12, 2025, https://www.wwt.com/blog/fortinet-security-poc-sd-wan-and-sd-branch

3. FortiGate Secure SD-WAN - NetSource One, accessed on February 12, 2025, https://www.nsoit.com/Fortinet/SD-WAN/

4. Fortinet Secure SD-WAN - AVFirewalls.com, accessed on February 12, 2025, https://www.avfirewalls.com/Secure-SD-WAN.asp

5. SD-WAN components and design principles | FortiGate / FortiOS 7.6.2 | Fortinet Document Library, accessed on February 12, 2025, https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/257828/sd-wan-components-and-design-principles

6. Configuring the SD-WAN interface | FortiGate / FortiOS 7.6.1 - Fortinet Document Library, accessed on February 12, 2025, https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/218559/configuring-the-sd-wan-interface

7. SD-WAN configuration | FortiGate / FortiOS 7.2.0 - Fortinet Document Library, accessed on February 12, 2025, https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration