SD-Branch

Secure Your Access Edge with

FortiSwitch, FortiAP, and Fortilink

Eduardo Louback / Kleython Kell

1
Welcome to the Fortinet SD-Branch Fast Track
This training session is composed of two sections

Section One: Introduction to SD-Branch

1. Customer profile
2. Business drivers & Market evolution
3. Fortinet’s approach to the enterprise branch
4. Solution components: SD-WAN, Secure Access (FortiAP and FortiSwitch), and FortiNAC.
5. Deployment and Management
6. Customer Wins
7. Opportunity Discovery and Development
8. Competition

Section Two: Lab, covers the configuration of Secure Access with FortiLink.

2
What’s the value of SD-Branch to a Fortinet partner?
Hottest market in the networking industry SD-WAN, refresh rarely stop at the
WAN edge.

Gartner analysts on customer drivers:

“Users also see a need for WAN solutions that effectively integrate with
local wireless LANs in the branch and IoT applications being deployed.
This means an opportunity of convergence and deeper integration
between the WAN and LAN platforms used in the branches.”

Secure SD-WAN is a feature of our FortiGate

SD-Branch offers the benefit of consolidation through the convergence of

services

SD-Branch includes additional hardware and services beyond FortiGate

increasing the value of the opportunity by as much a 3X
3
The Branch Office
Distributed Enterprise
Digital Transformation at the remote branch
Expansion at the WAN edge

Cloud Enabled Reduce WAN Cost Simplify Operations

5
Challenge: New WAN and Access edge paradigm
Each user and device now represents an edge

Lack of Visibility Secure multiple Complexity

Poor Performance network edges Too many point products

6
Evolution of the WAN Edge at the Remote Branch
WAN Edge
WAN Edge • Traditional WAN too expensive
• SD-WAN
SD-
SD-WAN Offers cost savings and improvements but
Branch lack Security and Visibility
• Secure SD-WAN
Secure SD-WAN Provides visibility and security but there are
too many additional point products
• SD-Branch
SD-Branch
Provides integration of WAN and LAN
platforms, extending Secure SD-WAN
Access Edge features into the network.

7
Fortinet Approach to Branch Architecture
Fortinet Secure SD-WAN
Security, Simplicity, Low Total Cost of Ownership

• Security enabled by FortiGate NGFW

• SD-WAN integrated as feature of
FortiGate NGFW FortiGate NGFW SD-WAN

• SD-WAN application steering with high

performance on any WAN link
Broad Integrated
• Single point of management FortiManager Automated
FortiDeploy

• Zero touch deployment

• FortiGate through FortiOS, the heart of
the Fortinet Security Fabric

10
Fortinet Secure SD-Branch
Securing the access edge through Security Driven Networking

Secure Access protecting the access edge

• Offers consolidation through convergence of
security and network access.
• FortiSwitch and FortiAP integrated into
FortiGate as extensions of the NGFW FortiGate NGFW SD-WAN

• A unique architecture ideal for SD-Branch

deployments
Broad Integrated
FortiManager FortiDeploy
Automated
FortiNAC protecting the device edge
• Auto discovery, classification, and security of
IoT devices as they enter the network.
FortiAP FortiSwitch FortiNAC
• Increased visibility and anomaly detection
• FortiGate as a sensor, no additional hardware
at branch.
11
Solution Components
Introducing FortiSwitch

13
Secure Unified Access Ethernet
Pervasive Security with Fortinet Security Fabric Integration powered by FortiLink.

Internet
MPLS

LTE
Secure
FortiSwitch becomes a logical extension of WAN Edge
the FortiGate when connected via FortiLink
Simple
FortiSwitch
Simplified Management, Deployment, and
Network Architectures.
Scalable
Stackable up to 300 switches per
FortiGate.

14
 FortiSwitch Access Switch Family
Entry
100 Series
 Entry Level Switch
 8 to 48 gigabit Ethernet
ports, POE Capable
 Desktop to wiring closet.
 (2-4) Gigabit Ethernet
SFP uplink ports
Mid Range
200 Series
 Mid level Switch
 24 to 48 gigabit Ethernet
ports POE+ Capable
 Typical wiring closet switch
 (4) Gigabit Ethernet SFP
uplink ports
Premium
400 Series
 Enterprise Switch
 24 to 48 gigabit Ethernet
ports POE+ Capable
 Larger wiring closet or high
throughput requirements.
 Up to (4) 10 Gigabit
Ethernet SFP uplinks
Aggregation
500 Series
 Aggregation Switch
 24 to 48 gigabit Ethernet
ports POE+ Capable
 Up to (4) 10 Gigabit
Ethernet (2) 40 Gigabit
Ethernet SFP uplinks
15
FortiSwitch Data Center Switch Family
1000 Series 3000 Series
 Data Center Aggregation Switch  Data Center Switch
 24 or 48 10 Gigabit Ethernet SFP slots  3000 series offers 32 x 100
 Up to four QSFP28 100 GbE Uplinks or Gigabit Ethernet capable
Six 40 GbE QSFP+ QSFP28 slots

 Two Dual hot swappable power supplies  Dual hot swappable power
supplies

16
Introducing FortiAP

17
Secure Unified Wireless Access with FortiAP
Wireless a logical extension of the FortiGate with FortiLink

Internet
MPLS

LTE
Secure
Pervasive security with Security Fabric WAN Edge

integration.
Simple FortiAP

Plug & Play management with single

pane of glass for wired, wireless, and
security
No additional licenses
Visibility
See the whole network, and track
identity throughout.
18
Access Points you expect from Enterprise Wi-Fi
• 4x4 models for high
throughput
• 2x2 models for price
sensitivity
• Internal or external
antenna
• IP67 models for Outdoor
installations and meshing
• Wall Plate form factor for
in-room installations

19
 FortiAP Naming Structure

FAP-U421E FAP-

Fortinet AP Smart Universal

Series U S U

Number of 1x1 2x2 3x3 4x4

Streams 4 1 2 3 4

Number of
Radios
2 1 2

Indoor / Internal Indoor / External Rugged / Internal Rugged / External

Style 1 1 3 4 2
11ac – w1 11ac – w2 11ax Virtual Cell
Capabilities E C E F V
20
Network Admission Control with FortiNAC
Security in the world of IoT

Internet
MPLS

LTE
Enhanced Visibility
• Identify and profile all endpoints, IoT devices, WAN Edge

users, & applications

Network Access

Increased Control SD-BRANCH

IoT
• Segmentation based on endpoint characteristics
FortiNAC
and profile

Automated Response
• Continuous risk assessment and anomaly
detection
• Automated responses for dynamic network control
21
Deployment

22
FortiLink enables Access SD-Branch
FortiLink protocols enable FortiGate to manage Fortinet’s network access layer
Simplicity FortiGate NGFW

• Flexible architecture, scales as needs change

• Management visibility and analytics across
wired, wireless, and security FortiSwitch FortiLink

Security
• Firewall and switch ports equally secure,
SSIDs tied directly to firewall policies
• Global Security polices down to port and
WLAN level
Lower Cost of Ownership FortiLink

• Access Management included with SD-

Branch. No licenses required

FortiAP
23
Deploy and Secure your Access Edge in just a few steps

• Plug in your devices

• Authorize them in your
FortiGate
• Assign settings in a single
place
• Configuration is pushed to
1. FortiSwitch
2. FortiAP
3. FortiAP
4. FortiAP
managed devices
Ports
• Set your policies
• FortiGate extends them
through the network
• Your firewall now extended
throughout the network
access layer
25
Management

26
SD Branch Management Options

FortiGate Interface FortiManager

 Ideal for small or single site deployments  Management at scale

 Supports SD-WAN configuration and  Supports SD-WAN configuration and
management. management
 Manage security, network access and WAN from  Supports zero touch deployment
a single interface  Manage SD-WAN, security, and access from one
interface
27
 Secure SD-Branch Deployment

Simplified Management
Integrated Security Data-Center
Lower TCO NOC/SOC FortiManager Centralized
FortiNAC
Multi-Cloud SaaS

Internet
MPLS

LTE
WAN Edge

Network Access
SD-BRANCH

IoT

FortiNAC

28
SD-Branch:
Opportunity Discovery and Development
Discovery Questions to Ask
1. How many sites do you support?
2. What is the current solution for branch connectivity? (# Branches, #
Technology Vendors?, Link Types, Service Provider(s), etc.)
3. How are you currently securing the remote branch networks?
4. What is your current strategy to support digital transformation/
improved customer experience/efficiency of process and operations?
5. What is the business application architecture in your branch
locations? (number of apps, traditional vs. cloud, any plans for new
applications or services)
6. How are you dealing with IoT devices entering your remote branch
networks?
31
 How We Win
Demo Demo Demo!
 The Secure Access Solution using FortiLink solution demos
extremely well and easy to set up.
 If FortiGate is set up takes less than five minutes
 Validates consolidation of services and integration via FortiLink.

 Demonstrates the benefit of adding access management to a

proven secure platform.
 Wireless configured as a firewall interface.
 Switch ports the same as physical firewall ports.

 Discuss scale and simplicity of provisioning

 Introduces the zero touch deployment options available through
FortiManager and FortiDeploy

32
Why SD-Branch
Flexible Architecture
• Consolidation does not have to mean a single box
• Scale to meet branch needs
Security
• Ethernet switch ports as secure as FortiGate ports
• WLAN configured as FortiGate interface
• IoT discovery security and anomaly detection
Simplified management
• Zero touch deployment model
• Manage directly from FortiGate or at scale with
FortiManager.
Low TCO
• No licensing fee for FortiGate management
SD BRANCH
34
SD-Branch Quiz

https://kahoot.it
Lab Exercise:
Part 1: FortiSwitch FortiLink Lab
Part 2: FortiAP FortiLink Lab
<Fast Track> Session

https://use.cloudshare.com/Class/22l1i
Student Name: <student email>
Passphrase: Fortinet1!
Student Access
• Classroom URL and Password provided from Instructor Email

38
 Lab Topology
FortiSwitch Lab Main Gate

• The FortiSwitches, APs, and the client

are physical devices
POD-1

• The Lab environment is composed of

sixteen pods. POD-2

POD-3

• Each pod has a FortiGate, a

FortiSwitch, a FortiAP, and client.
POD-14
• Each Student will be assigned a
Student number which will correspond POD-15

to a POD.
POD-16

39
 Lab Topology

The credentials to access the lab environments are different that those used to
log into CloudShare.

Use the assigned Student<x> Credentials to connect

to the lab environment via FortiClient

Your Student credentials will direct you

to your assigned lab environment (POD)
based on your student number.

FortiFIED app on the Jumpbox

Desktop is your lab guide.
FortiClient

40
Part 1:
FortiSwitch FortiLink Lab Course

This is a short technical lab designed to walk you through the steps
necessary to configure FortiLink between the FortiGate and
FortiSwitch enabling the Fortinet Security Fabric in the Ethernet
access layer.

41
Part 2:
FortiAP FortiLink Lab Course

This is a short technical lab designed to walk you through the steps necessary to
configure a variety of common wireless network types on FortiAPs using the FortiLink
wireless protocol running across CAPWAP.

42
FortiFIED Overview
FortiFIED Interactive Lab Guide

• Application Banner
• Objectives List
• Display Tabs
• Rich Text
• Answer Choice
• Complete
• Request Hint
• Status Bar
• Scale Text Slider
• Resize Display Bar
44
Contatos – Fortinet GOV Brasília

Pedro Almeida Major Account Manager -

palmeida@fortinet.com

Eduardo Louback - Sr. Systems Engineer -

elouback@fortinet.com

Kleython Kell – Systems Engineer –

kkell@fortinet.com