FortiGate Secure SD-WAN Solution - magellan-net.de · IPsec VPN Inspection Application Control Next...
Transcript of FortiGate Secure SD-WAN Solution - magellan-net.de · IPsec VPN Inspection Application Control Next...
© Copyright Fortinet Inc. All rights reserved.
FortiGate Secure SD-WAN Solution Magellan Netzwerke & Fortinet
08 / 2018
4
Fortinet SD-WAN Gives Performance of a Lifetime –Recommended by NSS Labs
Highest QoE for VoIP
Best Total Cost of Ownership
Only Security Vendor to be
Recommended
4.38 out of 4.41
$5@749 Mbps
Blocked 100% Evasions
© Copyright Fortinet Inc. All rights reserved.
FortiGate Secure SD-WAN Solution Daniel Marquardt | Systems Engineer
08 / 2018
6
DataCenter
MPLS
Challenges with Today’s WAN SaaS
Applications
Branch
Branch
No App Visibility
MPLS
InternetNo NGFW, likely no or UTM Security
Expensive and Slow
Poor Application SLA
7
DataCenter
Secure SD-WAN Enables Digital Transformation
SaaS Applications
Branch
BranchHybrid WAN Support
MPLS
Internet
Internet
ApplicationVisibility
High ApplicationPerformance
AdvanceSecurity
8
Gartner : Four architectures to secure SD-WAN
90% of the SD-WAN
vendors only offer
stateful firewalls…
Gartner, October 2017
Multiple products:
Agility impact?
Simplification impact?
Management impact?
One product:
Integrated NGFW & SD-WAN
Zero touch provisioning
One management
Multiple products:
Agility impact?
Simplification impact?
Traffic impact?
Management impact?
9
Evolution of Fortinet Secure SD-WAN
5.4 5.6 6.0!
• Application
steering
• Link load
Balancing
• Traffic
Shaping
• Identification of cloud
applications
• Dynamic WAN Path
Controller
• Zero Touch
Provisioning
Pure Play SD-WAN vendors
FortiGate SD-WAN
Se
cu
rity
6.0 New Features• Visibility into 3000+
applications
• Multiple SLA Strategies
• Enhanced Application
monitoring
FortiOS
11
FortiGate – Integrated NGFW with SD-WAN
Application
Aware
Multi-Path
Intelligence
Multi
Broadband
Supported
Simplified
Provisioning
Integrated SD-WAN with NGFW Security
Anti-botnet Intrusion
Prevention
Antivirus
IP
Reputation
SSL Inspection
IPsec VPN
Inspection
Application
Control
Next Generation Security Networking
&URL Filtering
12
SD-WAN Application Awareness – Broad and Deep
BROAD
DE
EP
❑ Posts
❑ Games
❑ Videos
❑ Chat
Gra
nu
lar
Ap
pli
ca
tio
n V
isib
ilit
y
3000+ Applications Supported
13
FortiOS SD-WAN Evolution
5.2 5.4 5.6 6.0
WAN link load balancing ✓ ✓ ✓ ✓
Routing, QoS and WAN Optimization ✓ ✓ ✓ ✓
VPN-Support (Site to Site VPN) ✓ ✓ ✓
Best quality WAN path selection ✓ ✓ ✓
SD-WAN Controller replaces WAN LLB ✓ ✓
FortiManager SD-WAN support ✓ ✓
Application traffic shaping for SD-WAN ✓ ✓
BGP Dynamic Routing for SD-WAN ✓ ✓
Minimum SLA enforcement link steering ✓
Multiple SLAs per SD-WAN rule ✓
Set link preference in SD-WAN rule ✓
Auto failback to primary link ✓
Interface percentage based traffic shaping ✓
Expanded application signatures for steering (~3000 apps) ✓
14
Performance SLA (For high priority applications)
Application-Level
Transaction
Latency < 200ms
Latency < 100ms
AND
Packet Loss < 1%
AND
Jitter < 30ms
MultipleMeasurement Techniques
❑ Ping
❑ HTTP
❑ TCP Echo
❑ UDP Echo
❑ TWAMP
FailoverParameters
Check Interval
Success before restore
Failure before inactive
15
▪ A virtual interface named SD-WAN is automatically created
» All static routes and firewall policies must be configured using this virtual
interface
SD-WAN Virtual Interface
Network > Static Routes
Network > Interfaces
Policy & Objects > IPv4 Policy
5.6 and 6.0
16
▪ In 6.0, the load balancing settings were moved to the SD-WAN
Rules section.
» Double click on the implicit rule to display the options.
load balancing settings in 6.0
6.0
17
FortiOS Secure SD-WANSD-WAN Rules
▪ SD-WAN Rules are applied like firewall rules
(Top down)
▪ Implicit catch all the
bottom decides how to
distribute remainder of undefined traffic:
» Source IP
» Sessions
» Spillover
» Src-Dst
» Volume
18
▪ Source IP (default)» Sessions from the same source IP address use the same interface.
▪ Source-destination IP» Sessions with the same source and destination IP pair use the same interface.
▪ Spillover» Use one interface until threshold is reached; then, use the next interface.
▪ Sessions» The number of sessions distributed is determined by the interface weights.
▪ Volume» Sessions are distributed so that traffic volume is distributed by the interface
weights.
SD-WAN Load Balancing Methods
19
SLA Strategy using Best Quality
No compromise on SLA
High performance of business-critical
applications
Always use the link with the best SLA requirements regardless of link cost
20
SLA Strategy using Minimum Quality
Maintain SLA While Saving on Opex
Consider both SLA and Link Cost
21
Application Aware SD-WAN – FOS 6.0 Example
▪ SD-WAN Rules
» Granular application awareness with
3000+ known applications
» Internet Service Database
▪ Dynamically updated database of known
service IPs and protocols
▪ Layer 4
» Application Control
▪ Dynamically updated database of
applications
▪ Deep inspection
23
FortiManager - Single Pane of Glass Management
▪ VPN Visibility and
Management on FMG
▪ NOC Dashboard and simple central monitoring
▪ Zero-Touch deployment with FortiDeploy
26
Evaluate FortiGate SD-WAN!
Native SD-WAN
Proven NGFW
✓ FortiGate provides PROVEN best of breed SD-WAN features in base
platform
✓ Make your branch application aware with our WAN Path Controller
✓ Consistent application performance with automated fail-over
✓ 90% of SD-WAN vendors do not offer NGFW security
✓ Fortinet is the industry leader in Security Effectiveness and Performance
✓ Simple to manage integrated NGFW And SD-WAN in single offering
SD WAN
NGFW