SD-WAN

Mateusz Szopinski (Consulting Systems Engineer)

© Copyright Fortinet Inc. All rights reserved.

DISCLAIMER

This document contains confidential material proprietary to Fortinet, Inc.

This document and information and ideas herein may not be disclosed, copied, reproduced or
distributed to anyone outside Fortinet, Inc. without prior written consent of Fortinet, Inc.

This information is pre-release and forward looking and therefore is subject to change
without notice.

The purpose of this document is to provide a statement of the current direction of

Fortinet’s product strategy and product marketing efforts.

Please note that this Product Roadmap is neither intended to bind Fortinet to any particular course
of product marketing and development nor to constitute a part of the license agreement or any
contractual agreement with Fortinet or its subsidiaries or affiliates.

2
Agenda

1 SD-WAN Features

2 Implementing SD-WAN 5.6

3 Implementing SD-WAN Bandwidth Control

 SD-WAN
Features

CONFIDENTIAL Fortinet - Confidential 4

 SD-WAN (Hybrid WAN) Evolution
Centralized MPLS WAN Based Distributed Hybrid WAN Based

NGFW or UTM

Router
Internet
Internet

MPLS SaaS

MPLS Data
VPN
Center IaaS

Data
Center

Traditional WAN Attribute Hybrid WAN

High Transport Cost Lower
Low Bandwidth High
Data Center only Application Optimization DC and Cloud
MPLS Only Connectivity MPLS, VPN, LTE
Medium Availability High

Fortinet - Confidential 5
 I hate my WAN : SD-WAN to the Rescue

Traditional WAN Architecture has become suboptimal

Enterprise WANs are mired in complexity and cost

Improve performance for all applications including cloud

Secure connectivity with the ability to integrate networking

By the end of 2019, 30% of enterprises will use SD-WAN technology in all
their branches, up from less than 1 % today - Gartner

Fortinet - Confidential 6
 Distributed Enterprise SD-WAN Vision
Business Critial Traffic eg..
Voice/Video take the best
delay, jitter, and/or loss path

Internet VPN Private Cloud

Business Critical Traffic rerouted if

Branch current path degrades below policy
thresholds
Internet VPN

Non Critical traffic is

load balanced to
maximize bandwidth
or minimize cost
Public Cloud
Direct Internet Access for SaaS

Fortinet - Confidential 7
Fortinet’s Key Benefits of Secured SD-WAN Solution

MPLS to Direct Internet Access for Cloud Reduces WAN Cost Spending

Efficient WAN Path Controller Higher SLA for Business App

Effective Security – Direct Internet Access Better Security Posture

Simplify the deployment and management Scalable Single Pane of Glass

Fortinet - Confidential 8
WAN traffic without SD-WAN implemented

MPLS
FGT

VPN over ISP

Fortinet - Confidential 9
 Increasing the bandwidth with SD-WAN

MPLS 2
MAN Ethernet
MPLS @ @2
3G/LTE

Available Bandwidth

MultiLink
Fortinet - Confidential 10
 Redundancy of the links

MPLS @ @2
3G/LTE

MultiLink
Fortinet - Confidential 11
 Smart Load Balancing of the Applications
L = 25 ms L = 28 ms L = 100 ms
J = 0 ms J = 0 ms J = 20 ms
PL = 0 % PL = 0 % PL = 5 %

MPLS @ @2

Sensibility to:
Latency & Packet Loss

Smart LB

Fortinet - Confidential 12
 Smart Load Balancing of the Applications L = 100 ms
L = 25 ms L = 28 ms J = 20 ms
J = 0 ms J = 0 ms PL = 5 %
PL = 0 % PL = 0 % BW = 18 Mbps
BW = 2 Mbps BW = 8 Mbps

MPLS @ @2

Smart LB

Fortinet - Confidential 13
 Smart Load Balancing of the Applications L = 100 ms
L = 25 ms L = 28 ms J = 20 ms
J = 0 ms J = 0 ms PL = 5 %
PL = 0 % PL = 0 % BW = 18 Mbps
BW = 2 Mbps BW = 8 Mbps

MPLS @ @2

Smart LB

Fortinet - Confidential 14
 Smart Load Balancing of the Applications

 Link evaluation criteria

Fortinet - Confidential 15
 Inbound / Outbound QOS

MPLS @

I/O QoS

Fortinet - Confidential 16
 SD-WAN
Implementing
SD-WAN

CONFIDENTIAL Fortinet - Confidential 17

Implementing SD-WAN

Fortinet - Confidential 18
Default route

Fortinet - Confidential 19
Firewall Policy

Fortinet - Confidential 20
Status Check

Fortinet - Confidential 21
Configuration of SD-WAN rules

Fortinet - Confidential 22
Internet Service Database

Fortinet - Confidential 23
 SD-WAN
Implementing
SD-WAN
Bandwidth
Control
CONFIDENTIAL Fortinet - Confidential 24
 Bandwidth Control implementation – Shaping-policy
 TS shaping policy identifies the traffic that is to be matched and assigns
config firewall shaping-policy
Class-id edit 1
set comment "Facetime"
set service "ALL"
Traffic identification can be done manually, with App set application 24426
Control Engine or with Internet Service DB set dstintf "virtual-wan-link"
set class-id 3
set class-id-reverse 3
set srcaddr "all"
set dstaddr "all"
next
edit 2
set comment "Facetime"
set service "ALL"
set application 24426
set dstintf "port1"
Class-id available for configuration 2-31 set class-id 3
set class-id-reverse 3
set srcaddr "all"
set dstaddr "all"
next
Fortinet - Confidential 25
 Bandwidth Control implementation – Shaping-profile
 Bandwidth assignment for each Class-id is done in shaping-profiles
edit "SD_WAN_DEMO"
set comment "SD_WAN_DEMO"
set default-class 5
config classes
edit 2
set class-id 2
5 transmit priorities queues are available set priority top
set guaranteed-bandwidth 30
set maximum-bandwidth 100
next
edit 3
set class-id 3
set priority critical
Maximum and guaranteed bandwidth are defined set guaranteed-bandwidth 20
as percentage (%) of in/outbandwidth of the interface. set maximum-bandwidth 100
next
If not used guaranteed bandwidth is shared among edit 4
other classes set class-id 4
set priority medium
set guaranteed-bandwidth 10
set maximum-bandwidth 100
next
edit 5
set class-id 5
set priority low
set guaranteed-bandwidth 5
set maximum-bandwidth 100

Fortinet - Confidential 26
Bandwidth Control - Priority queues

TOP

CRITICAL

HIGH

MEDIUM

LOW

Fortinet - Confidential 27
 Bandwidth Control implementation – Interface configuration
 The last step is to assign the shaping-profile to an interface. Shaping can
occur on both ingress and egress traffic.
config system interface
edit "port11"
set vdom "Branch1"
set ip 10.10.10.1 255.255.255.252
set allowaccess ping https ssh snmp http fgfm
set type physical
set inbandwidth 5000
set outbandwidth 5000
set egress-shaping-profile "SD_WAN_DEMO"
set ingress-shaping-profile "SD_WAN_DEMO"
set description "MPLS"
set alias "MPLS"
set snmp-index 13
next
end

Fortinet - Confidential 28
 What is available with Fortinet’s SD-WAN?
5.4 GA / 5.6 GA Valeo top3 Critical/Good to
have
SD-WAN BGP support No Yes Critical

Improved Health-Check No Yes Critical

SD-WAN App Control support No Yes Critical

Support for Custom/Internet-service-DB/AppCntrl No Yes Critical

Groups
5 Ingress & Egress Only Egress/Firewall Yes Critical
queues/Interface(percentage)-based shapers policy(kbps)-based shapers

Extended quality metrics (uni-bidirectional- No Yes Critical

bandwidth)
Custom quality metrics for VoIP traffic (custom- No Yes Good to have
profile-1)
Fortimanager suppport Partial (CLI-Only Objects) Yes Good to have

Fortianalyzer support No Yes Critical

Fortinet - Confidential 29