Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.2.0 SD-WAN Architecture for Enterprise
7.2.0
7.2.0
7.0.0

SD-WAN considerations

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

Configured for each WAN port

Zone exclusively for WAN ports

Health check server is a public server, such as Google’s 8.8.8.8

Destination options are:

all, application or internet service

References the SD-WAN zone(s) and appropriate security inspection

Additional details

  • SD-WAN member:
    • Each WAN interface should be added as an SD-WAN member.
    • If one member is preferred over another, you may assign a lower cost to the preferred interface, and reference it later in the SD-WAN steering strategy.
  • SD-WAN zone:
    • Members can be added to their own individual zone or to a zone that contains multiple members.
    • The advantage of assigning each member to its own zone is that you have more granularity in your firewall policies later. For example, private links, such as MPLS, may require different security inspection than public internet links.
  • Performance SLA:
    • For internet rules, a publicly available health-check server should be used, such as www.fortinet.com.
    • This rule should only utilize SD-WAN members that have public internet access.
    • SLA targets may need to be adjusted over time as you learn what is normal in your environment.
  • SD-WAN rules:
    • Internet rules should contain the WAN members and their appropriate SLA.
    • More specific rules for internet breakout, such as application(s) or internet service, should be placed above more generic ones.
    • Destination options:
      • Application: Utilizes application control to identify the application on the network and steer appropriately. Good for granularity.
      • Internet Service: Utilizes the FortiGuard list of destination and port number mapping. Good for performance.
      • Address: Typically used for more generic rules, such as all or non-RFC statements.
  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.
Previous
Next

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

Configured for each WAN port

Zone exclusively for WAN ports

Health check server is a public server, such as Google’s 8.8.8.8

Destination options are:

all, application or internet service

References the SD-WAN zone(s) and appropriate security inspection

Additional details

  • SD-WAN member:
    • Each WAN interface should be added as an SD-WAN member.
    • If one member is preferred over another, you may assign a lower cost to the preferred interface, and reference it later in the SD-WAN steering strategy.
  • SD-WAN zone:
    • Members can be added to their own individual zone or to a zone that contains multiple members.
    • The advantage of assigning each member to its own zone is that you have more granularity in your firewall policies later. For example, private links, such as MPLS, may require different security inspection than public internet links.
  • Performance SLA:
    • For internet rules, a publicly available health-check server should be used, such as www.fortinet.com.
    • This rule should only utilize SD-WAN members that have public internet access.
    • SLA targets may need to be adjusted over time as you learn what is normal in your environment.
  • SD-WAN rules:
    • Internet rules should contain the WAN members and their appropriate SLA.
    • More specific rules for internet breakout, such as application(s) or internet service, should be placed above more generic ones.
    • Destination options:
      • Application: Utilizes application control to identify the application on the network and steer appropriately. Good for granularity.
      • Internet Service: Utilizes the FortiGuard list of destination and port number mapping. Good for performance.
      • Address: Typically used for more generic rules, such as all or non-RFC statements.
  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.
Previous
Next