Constructing a Secure SD-WAN Architecture

Subtitle

Presenter:
Date: 1
Secure SD-WAN
Objectives:
• Describe SD-WAN
• Understand the need for Secure SD-WAN
• View use cases and success stories
• Configure SD-WAN
• Monitor and manage SD-WAN

2
 Traditional WAN
• Used to extend computer networks to
HQ/Datacenter
connect remote branch offices to data
Public Cloud centers
• Expensive circuit costs
SaaS
• Fixed circuits
• Long lead time
• Proprietary hardware
• Difficult to expand
• Branch traffic hauled back to HQ

Branch Office

3
The WAN is Complex and Needs Transformation

70% Customers mentioned that existing WAN is slow and expensive

Security is “MUST”
SaaS enterprises are adopting WAN solutions as part of digital
60+ transformation 90%
Of SD-WAN vendors do
no provide security. With
direct internet access,
security becomes critical
at every branch

90% WAN solution vendors don’t provide built-in NGFW security

4
Gartner: Security is the Biggest WAN Concern

Customers reported the following

as the top concerns during a
WAN initiatives

72% Security
58% Performance
47% Cost
Gartner does not endorse any vendor, product or service depicted in its research publications, and
does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner's research
organization and should not be construed as statements of fact. Gartner disclaims all warranties,
Gartner Survey Analysis: Address Security and Digital Concerns to Maintain Rapid SD-WAN Growth, Naresh Singh, 12 November 2018 expressed or implied, with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.
5
 Enter SD-WAN
 Software-defined WAN (SD-WAN)
HQ/Datacenter
Public Cloud  Simplifies the management and
operation of a WAN by separating the
SaaS networking hardware from its control
mechanism
 Lets companies build higher
performance WANs using lower cost and
commercially available internet access
 Transport agnostic

Branch Office

6
Enterprise SD-WAN Use Case
SD-WAN Use Cases to Transform Enterprise WAN Edge
Network
Operations

Application Aware WAN Reduce WAN Cost for Simplify Operations for
Edge Lower Operating quick roll-out
Expenses (Opex)

Business applications MPLS to broadband Zero-touch deployment

steering with low latency transition at scale

Network
Security
Top rated threat protection
and detection for direct
internet access
Quality of experience Single pane of glass
(QoE) for voice and management
video apps

Security
Operations

8
Fortinet Redefined WAN Edge with Secure SD-WAN

Application Steering with High

Consolidate Point Products Availability Performance on any
WAN Link

Simplification
SD-WAN Functionality

Proven Built-in Next Generation

Zero-Touch Deployment Firewall (NGFW) with SSL
Inspection

9
 Enterprise SD-WAN Use Cases—MPLS Migration
Traditional WAN

Multiprotocol Label Switching (MPLS) Dependency

Inflexible, expensive, good quality of service (QoS)

MPLS
Private Cloud

Branch

Traffic Secured in the MPLS

Business Apps Provider Cloud
All traffic routed via Breakout in the provider cloud
MPLS circuits, QoS for all traffic
applied for business
Public Cloud
apps

Internet

10
Enterprise SD-WAN Use Cases—MPLS Migration
MPLS Backup with Local Breakout
Critical Apps (Voice and Video)
Best path is chosen depending
on latency, jitter, and packet
loss

MPLS
Private Cloud

Critical Apps (Voice and Video)

Branch Redirected to a new tunnel in case the WAN
conditions are worse than the threshold
IPsec VPN

Business Apps
Load balanced across different
lines so bandwidth is optimized
Public Cloud

Internet
11
Enterprise SD-WAN Use Cases—MPLS Migration
MPLS Backup with Local Breakout
Critical Apps (Voice and Video)
Best path is chosen depending
on latency, jitter, and packet
loss

MPLS
Private Cloud

Critical Apps (Voice and Video)

Branch Redirected to a new tunnel in case the WAN
conditions are worse than the threshold
IPsec VPN

Business Apps Direct secure access to Internet,

Load balanced across different SaaS, and IaaS content
lines so bandwidth is optimized Load balanced if needed
Public Cloud

With an internet breakout, security is critical Internet

12
Enterprise SD-WAN Use Cases—MPLS Migration
MPLS Replacement

Replace expensive MPLS lines

with cost-effective broadband

IPsec VPN
Private Cloud

Branch
IPsec VPN

Public Cloud

With an internet breakout, security is critical Internet

13
Evolution of Fortinet Secure SD-WAN
Pure Play SD-WAN Vendors • Application
control
FortiGate Secure SD-WAN database
• Multiple SLA

Security
• Identification of strategies

Security
cloud applications •
• Application Enhanced
• Dynamic WAN application
steering
path controller
• Link load monitoring
• Zero touch
balancing
provisioning
• Traffic 6.2 new features
shaping • Forward error
correction
• Expanded SLA
strategies
• Enhanced SD-WAN
analytics
• Tunnel bonding
• SOC4 SD-WAN
acceleration

FortiOS 5.4 5.6 6.0 6.2 14

FOS 6.2 : Enable Best of Breed SD-WAN

Application Multi-Path WAN Simplified

Segmentation
Aware Intelligence Resiliency Monitoring

Visibility into 5000+ Application steering WAN path remediation High-level monitoring of Multi-tenancy with
applications based on expanded SLA forward error correction SD-WAN devices on a Patented VDOM
(FEC) map
High application Automated fail-over User-level segmentation
identification accuracy capabilities Tunnel bandwidth Expanded historic SLA for application
aggregation analytics
(per packet steering)

15
 Transform your WAN Edge with Secure SD-WAN
Single-Pane Management

Zero Touch Deployment Best

Protection
Bundle

WAN Path WAN

Application Routing
Secure Controller Optimization
FortiOS
SD-WAN

Web Anti Cloud

IPS
Filtering Malware Sandbox
Threat Intelligence

Purpose-Built Security Processor

16
FortiGate Enterprise Routing Stack

Routing Protocols Advanced Features

BGP
• BGP, IPv4/IPv6 • Hardware accelerated routing
• OSPF(v2/v3), IPv4/IPV6 • Per VDOM routing tables
• ISIS • Virtual router support
• RIPng, RIPv1/v2 • Graceful restart for BGP/OSPF
• Multicast sparse/dense including • BFD for BGP, OSPF, and Multicast
Secure NAT • BGP route reflector
SD-WAN • Policy-based routing (PBR)

Full Enterprise Routing Stack

FortiOS

17
 Fortinet
WAN Edge MQ 2018 vs 2019 Cisco

NGFW / Enterprise UTM

18
Take Advantage Today

 FortiGate provides best of breed SD-WAN features in base platform

SD WAN  Make your branch application aware with our WAN path controller
SD-WAN Ready  Consistent application performance with automated failover

 90% of SD-WAN vendors do not offer NGFW security

NGFW  Fortinet is the industry leader in security effectiveness and performance
Proven NGFW
 Simple to manage integrated NGFW and SD-WAN in single offering

19
SD-WAN Assessment Program
SD-WAN Assessment Program—What is it?

Part of the Cyber Threat Assessment Program for SD-WAN

• No obligation analysis for the network to get visibility into

application usage, security posture, and bandwidth
utilization

• No impact deployment that will not disrupt network

connectivity or ongoing services

• No uncertainty about the current level of security posture

and whether additional or new security controls are needed

21
SD-WAN Assessment Program—What’s its Purpose?

Customers get visibility into:

• Application usage

• Security posture

• Bandwidth utilization

22
Sources:
1 IDC. SD-WAN Infrastructure Forecast. 2018.
2,3,4 Gartner. WAN Disruption and Transformation Survey. November 2018.
SD-WAN Assessment Program—How Does it Work?

1. Submit a request in the CTAP portal for a Secure

SD-WAN Assessment
2. Install the configuration file on the FortiGate device
and deploy for 3-7 days
3. Uses SD-WAN technologies and intelligence of
FortiGuard Labs to identify thousands of applications
4. Upload the inspection logs to the portal and generate a Secure SD-WAN Assessment
report
5. Customer’s log data is purged from the system after completion of the final Secure
SD-WAN Assessment report

23
SD-WAN Assessment Program—Then What?

• Partner reviews the Secure SD-WAN Assessment report

• Partner can deliver or present the report to the customer,
including impartial recommendations
• If the customer is ready to purchase FortiGate Secure SD-
WAN based on SD-WAN findings, the standard ordering
process applies
• If the customer has detailed questions, beyond the scope of
the turnkey assessment, a PoC can be similarly configured
• If there are questions or additional information required,
contact [email protected]

24
Case Studies
Fortinet’s Global SD-WAN Adoption
FortiGate SD-WAN customer

Business Drivers

Digital transformation at the

enterprise branch

Reduce WAN OpEx

spending

Consolidation of branch
services

Hundreds of customers deployed the Fortinet SD-WAN solution worldwide

26

Consolidation of Branch Services
Large supermarket in Northern Europe
30% Market share in the Netherlands
13 Independent retail organizations
1500 branches, 10 datacenters
Goals
 Unified best of breed approach, competing
against powerful national supermarket chains
 Undergoing digital transformation to simplify
management and increase productivity
Challenges
 Unique set of security and networking
requirements for each retail member
 Proliferation of IoT devices, demanding more
bandwidth and security
Solution
 Patented VDOM functionality allowed customer
to deploy multiple retail formulas from a single
location
 Extended the Fortinet SD-WAN solution to
include switches, access points, and extenders
from Fortinet
27

Digital Transformation at the Enterprise Branch
Large educational instituition
34,000 students
Serves 76 schools
$388M operating budget
Goals
 Broadband modernization program to provide
internet access to students
 Protect the personal information of student
and staff
Challenges
 MPLS architecture was not flexible to meet
growing demands
 Anticipated 80% of total volume of school
traffic to be encrypted by 2020
Solution
“We chose the FortiGate enterprise solution for
several reasons, including SSL inspection
capabilities, throughput, deployment flexibility, and
internal staff expertise”. - John McCormick, CIO
28
 Reduce WAN OpEx Spending
Goals
Multinational automotive supplier
 Fully adopted cloud applications and SDN
technologies

Challenges
 Immediate need for SD-WAN deployment,
with special requirements for WAN path
control and SLA strategy
 MPLS infrastructure was inflexible and costly

$18.7B revenue Solution

 Automated WAN path control with granular
81,000 employees application transaction-level SLA
 Multiple strategies for controlling application
SLA
140 locations
29
Competitive Overview
Types of Competitors and How to Position Against Them
 Competitive Positioning—Security Vendors
Security
Examples
Characteristics • SD-WAN is a feature rather
than the entire solution
• NGFW security built-in as part
of the solution
Form factors • Hardware appliance or VM
How to Position Against
• Security Effectiveness:
• Fortinet has better security effectiveness than competitors, based
on 3rd party independent testing, such as NSS Labs
• Leader positions in the Gartner NGFW and UTM Magic Quadrant
as well as eight recommendations from NSS Labs
• The Fortinet Security Fabric provides end to end visibility and threat
intelligence across a wide attack surface
• Performance:
• The best performing VPN with dedicated security processors
• NSS Labs SD-WAN testing gave Fortinet a Recommended rating,
recognized for class leading QoE, the lowest total cost of ownership
(TCO), and SSL decryption
• Unmatched ability to scale branch office SD-WAN deployments with
FortiGate and FortiManager using zero-touch provisioning (cite
case studies when appropriate)
31
 Competitive Positioning—Pure Play SD-WAN
Pure Play SD-WAN How to Position Against
Examples • Secure SD-WAN vs SD-WAN
• Both Gartner and NSS Labs recognize the importance of security
for SD-WAN
• Better end to end visibility and threat intelligence across a wide
attack surface with the Security Fabric

Characteristics • Typically a startup or was a • Performance

recent startup
• The best performing VPN with dedicated security processors
• Entire solution is SD-WAN • NSS Labs gave Fortinet a Recommended rating, recognized for
class leading QoE, the lowest TCO, and SSL decryption
• No built-in NGFW security
• Lower TCO
• Licensing based on bandwidth
• SD-WAN is built into every FortiGate, no license required
• Customers avoid the need to have a second vendor for security,
which would double their costs
Form Factors • Hardware appliance or VM
• Bandwidth-based licensing is expensive
• Market Realities
• Pure play vendors will eventually get acquired or go out of
32
business, what happens to customer networks then?
 Competitive Positioning—WAN Optimization Vendors
WAN Optimization
Examples
Characteristics • Focuses on WAN, so the next
logical progression would be
SD-WAN
• SD-WAN is a feature of a WAN
optimization product or a
component of a WAN solution
• No built-in NGFW security
• Cannot help organizations with
branch consolidation objectives
Form Factors • Hardware appliance or VM
How to Position Against
• Market Realities
• SD-WAN enables the replacement of expensive MPLS circuits
with cheap broadband internet and has reduced the importance
WAN optimization
• WAN optimization vendors must pivot to SD-WAN to stay relevant
• Secure SD-WAN vs SD-WAN
• SD-WAN is one component in providing network security
• NSS Labs SD-WAN testing gave Fortinet a Recommended rating,
recognized for class leading QoE, the lowest total cost of
ownership (TCO), and SSL decryption
• The Security Fabric provides end to end visibility and threat
intelligence across a wide attack surface
• SD-Branch
• Fortinet Secure SD-WAN allows organizations to consolidate their
WAN edge infrastructure and manage SD-WAN, security, access
layer, and endpoints in a true single pane of glass console
33
 Competitive Positioning—NSE Competitive Insider
For more information on SD-WAN competitive positioning, look at the NSE Competitive Insider presentations:
https://fuse.fortinet.com/p/do/sd/sid=6323

34
NSS Labs SD-WAN Report Results
NSS Labs SD-WAN—Industry’s First SD-WAN Group Test

 Inaugural group test of market-

leading SD-WAN solutions

 Real world simulation of:

 Enterprise deployment
 Business critical traffic
 Scenarios with poor network
conditions

36
 NSS Labs SD-WAN v1.0 2018 (Products Tested)
Only three Vendors Recommended out of ten participating

Refused
Recommended Verified Caution Participation

Barracuda NGFW F-Series F80

Citrix Systems Netscaler SD-WAN
FortiGate 61E

Versa Networks FlexVNF Cradlepoint AER2200-600M

VMWare NSX SD-WAN by VeloCloud Edge

Forcepoint NGFW 1101

Talari Networks Adaptive Private Networking (APN) FatPipe Networks MPVPN/SD-WAN

37
Overall Results
 Fortinet SD-WAN measured best in class for quality and TCO

38
Fortinet Receives Second Consecutive SD-WAN Recommended
Rating from NSS Labs
Only three vendors out of 60+ SD-WAN vendors achieved consecutive Recommended rating

Best ROI Reliable QoE Resilient HA

 Lowest TCO among all vendors
 Faster deployment with zero-
touch provisioning in six
minutes
 NSS Labs Recommended voice  Best user experience in failure
and video QoE conditions
 QoE delta is only ~5% lower than  Achieved best possible score
average QoE from all vendors for voice and video QoE

 Our TCO ~8X better than  Active and passive high

average TCO from all vendors availability

Built-in NGFW security has received five consecutive Recommended rating from the NSS Labs NGFW test

39
How to Position Fortinet Results
 Proven best of breed SD-WAN
 Highest QoE for VoIP, beating even pure play SD-WAN vendors (scoring 4.38 out of 4.41)
 Sustained high quality for VoIP, even during brownout conditions when packet loss, latency, and jitter was
introduced
 Second best QoE for video, scoring 4.26 out of 4.53

 Only Recommended SD-WAN vendor with security rating

 100% of evasions were blocked, with 99.9% security effectiveness
 Five out of nine vendors missing NGFW security, which is critical for enterprises adopting SD-WAN for
cloud applications
 Best TCO
 Fortinet proved the best value with only $5 TCO
 Purchase price vs value is at least 700% higher than other vendors

40
Introducing the World’s First SD-WAN ASIC

Ultra Fast SD-WAN Best of Breed Security

Industry’s fastest application Enable best of breed, certified SD-
steering for efficient business WAN and security with high
operations performance

Ease of Use SD-Branch Enabled

Best user experience with Accelerated security extension to
responsive accelerated overlay access layer to enable SD-Branch
WAN transformation

41
World’s First SD-WAN ASIC (SOC4)

X2

A53 QUAD DDR4-32B 28,000 18X 36 GBPS 18 GBPS CAPWAP

@ 1.4GHZ @ 2400 DMPS NETWORK PORTS THROUGHPUT IPSEC THROUGHPUT SUPPORT

SECURITY PROCESSING UNIT SOC4

SOC3

A9 QUAD DDR3-32B 10,000 10X 10 GBPS 3 GBPS CAPWAP

@ 1GHZ @ 2400 DMPS NETWORK PORTS THROUGHPUT IPSEC THROUGHPUT SUPPORT

X1

42
The Fortinet SD-WAN ASIC Powered FortiGate 100F

22 11.5 800 2500 1.0

Gbps Gbps Mbps Gbps

Zero CPU
IPSec NGFW Tunnels SSL
Forwarding

43
FortiOS 6.2 Secure SD-WAN
SD-WAN Configuration Steps

• Basic steps to set up SD-WAN

• Enable SD-WAN
• Configure routes
• Configure security policies
• Configure performance SLA
• Configure SD-WAN rules
• View usage monitoring

45
 Enable SD-WAN
Network > SD-WAN
• Select the interfaces that will become members
of the SD-WAN and provide a gateway for that
interface. NEW
• Physical interfaces that are referenced by any
other configuration element (for example, routes
or policies) will not appear in this list NEW

• New in 6.2: Easily create IPsec VPN

• New in 6.2: Optionally, provide a cost for the
interface that the rules uses
• View the SD-WAN usage of each member,
based on Bandwidth, Volume, and Sessions
• There can only be one SD-WAN interface per
VDOM

46
SD-WAN IPsec VPN Wizard
• What it does:
• Simplifies dual VPN creation for
SD-WAN

• How it does it:

• Provides a VPN wizard in the SD-
WAN section that allows users to
create an overlay VPN tunnel over
each selected underlay transport link
• Use case:
• To speed up VPN creation in simple
SD-WAN deployments

47
Forward Error Correction (FEC)

• What it does:
• Allows for dynamic remediation of packet loss or
erroneous data caused by adverse WAN conditions

• How it does it:

• The sending FortiGate buffers the traffic, then
generates and sends redundant packets along with the
original payload through a VPN tunnel
• The receiving FortiGate buffers the incoming packets
and performs redundancy calculations based on the
traffic (payload + redundant packets) to ensure the
integrity of the original payload and recover from packet
loss or transmission errors

• Use cases:
• Increase the reliability of WAN traffic sent through an
overlay VPN tunnel established over a broadband
internet link
• Increase the QoE of voice or video traffic that is pinned
to specific overlay tunnels
48
SD-WAN Virtual Interface
• A virtual interface named SD-WAN is automatically created
• All static routes and firewall policies must be configured using this virtual interface
Network > Interfaces

Policy & Objects > IPv4 Policy

Network > Static Routes

49
Dynamic Routing Support

• New solution to overcome

SD-WAN static network
limitations

• Links SD-WAN and BGP in a

dynamic network environment

• This feature is currently CLI

only

50
Performance SLA

Link Health Monitor

NEW
SLA Targets

Link Status

51
Performance SLA—Link Health Monitor
Available Protocols via CLI:
ping PING link monitor
http HTTP-GET link monitor
tcp-echo TCP echo link monitor
udp-echo UDP echo link monitor
TWAMP Two-Way Active Measurement
Protocol

• In FortiOS 6.2, Status Check is renamed

Performance SLA

• You can use two servers to test the

quality of a link

• You can specify which SD-WAN members

this SLA applies to

52
Link Quality Measurements
• Status check also measures the link quality of each member interface based on
latency, jitter, and packet loss percentage

NEW

53
Performance SLA—SLA Targets
• You can specify multiple SLA
targets in one performance
SLA

• Targets are only used when

referenced by a rule

• Use Link Status to prevent

flapping

54
SD-WAN Rules
• Rules can match traffic based on:
• Source IP address, destination IP address, or
port number
• Internet services database (ISDB) address
object
• Users or user groups
• Type of service (ToS)

NEW
• Lets you route traffic through the member
interfaces that best fit your needs

55
SD-WAN Rules—Manual

• New in FortiOS 6.2

• Use a manual rule to pin one or more applications to a specific
SD-WAN member interface

56
SD-WAN Rules—Best Quality

Link quality = (a*latency)+(b*jitter)+(c*packet loss)+(d/bandwidth)

57
SD-WAN Rules—Lowest Cost (SLA)

• In FortiOS 6.2, Minimum Quality (SLA) is renamed Lowest

Cost (SLA)
• All of the traffic that matches the rule will be directed to a
single interface

58
SD-WAN Rules—Maximize Bandwidth (SLA)

• New in FortiOS 6.2

• Load balances multiple sessions across participating SD-WAN
members that meet the SLA

59
SD-WAN Rules—Internet Services & Application

61
SD-WAN Rules Precedence
• SD-WAN rules are treated as policy-based routes

Monitor > Routing Monitor

62
SD-WAN Rules
 SD-WAN rules are evaluated in the same way as the firewall policies: from top to
bottom, using the first match

Application Specific Rules

Implicit Rule
 Double-click on the implicit rule to display the load balancing options

63
SD-WAN Load Balancing Methods

• Source IP (default)
• Sessions from the same source IP address use the same interface
• Source-destination IP
• Sessions with the same source and destination IP pair use the same interface
• Spillover
• Use one interface until threshold is reached, then use the next interface
• Sessions
• The number of sessions distributed is determined by the interface weights
• Volume
• Sessions are distributed so that traffic volume is distributed by the interface weights

64
SD-WAN Rules IPv6 Support

• IPv6 support added

• CLI configuration only
• Partial display in GUI

65
SD-WAN Link Status Monitoring
Network > Performance SLA

Log & Report > System Events

66
SD-WAN Link Status Monitoring Cont’d

• Use the following command to verify which link is the preferred link

67
SD-WAN Usage Monitor
• Real time SD-WAN usage monitor
• View SD-WAN traffic distribution by bandwidth, volume, or session

68
Verify SD-WAN Traffic Routing

69
Verify SD-WAN Traffic Routing
• Use the Forward Traffic logs or the packet capture tool to verify traffic routing.
Log & Report > Forward Traffic

# diagnose sniffer packet any 'port 443' 4

5.455914 port1 out 192.168.1.254.59785 -> 192.168.1.1.443: syn 457459
5.455930 port2 out 192.168.1.1.443 -> 192.168.1.254.59785: syn 163440 ack 457460
5.455979 port2 out 192.168.1.1.443 -> 192.168.1.254.59773: 927943 ack 725411
5.456012 port1 out 192.168.1.1.443 -> 192.168.1.254.59773: 929403 ack 725411
5.456043 port1 out 192.168.1.1.443 -> 192.168.1.254.59773: psh 930863 ack 725411

70
Traffic Shaping
• Apply traffic shaping to SD-WAN
traffic the same as any other traffic
• Layer 7 analysis for QoS rules is
based on users, apps, URLs
• Administrators can prioritize critical
traffic over other traffic
• There are two types of traffic shapers:
Per IP and Shared

71
SD-WAN Integration in Fabric Topology

72
 FortiOS Secure SD-WAN
Management and Visibility: FortiManager

• New WAN health analytics in FortiManager for SD-WAN

• Go to Table View, then click on the FortiGate you want to view

73
FortiManager—Zero-Touch Provisioning & Automation
Turn-Key Provisioning for SD-WAN and SD-Branch

• Use zero-touch provisioning

for FortiGate, FortiSwitch,
and FortiAP
• Leverage templates to
provide ease of policy
configuration
• SLA-based application
steering
• Ansible scripts are available
on Github

74
FortiManager—SD-WAN Monitoring and Controls
Performance, Bandwidth, and SLA Monitoring
• SD-WAN bandwidth monitoring to log
the interface UL/DL speeds (run 10
different times in 24hrs)

• SLA logs and history monitoring

forwarding to FortiAnalyzer Cloud for
better SLA reporting

• Security Rating for best practice

configuration management

• View the Security Fabric Topology

in FortiManager
75
FortiManager—Single Pane of Glass Management
SD-WAN Central Management

• Single pane for both management and

logging (FortiManager and FortiAnalyzer)
• VPN management (IPsec VPN, mesh
configuration)
• SD-WAN management (health check
servers, templates)

76
Conclusions:
 Customers want WAN with local internet breakout
 SD-WAN enables local internet breakout but this means added security
risks
 Most SD-WAN vendors do not have robust NGFW security
 Many SD-WAN vendors recommend multiple devices for SD-WAN and
security
 Multiple devices add to the complexity and cost

 What customers need is Secure SD-WAN

 A single device handles both the security and the SD-WAN needs

77
Key Takeaway
 FortiGate changes the conversation from SD-WAN to Secure
SD-WAN
 Best of breed integrated SD-WAN networking and security capabilities in a single
device reduces TCO

 FortiGate is SD-WAN ready:

 Purpose-built security processor (ASIC) for high reliability
 Enhanced application aware WAN path controller for QoS
 Security Fabric ready for easy visibility and control
 FortiManager enables single pane management across thousands of enterprise
branches
 360 Protection is the most comprehensive protection bundle
78
Lab Exercise: SD-WAN
Lab—Network Diagram

80
SD-WAN Exercise
• In this exercise, you configure the SD-WAN virtual interface:

• You perform all of the configurations from the Jumpbox server

• The Lab Guide is on the desktop of the Jumpbox (FortiFIED app)
• As part of the exercise, you create a rule to have traffic favor the best link
• You initiate some traffic in the form of a phone call and continuous ping to HQ
• You introduce latency in the first link and observe the traffic switch over to the second link without
dropping the call

81
Software-Defined WAN Session
https://use.cloudshare.com/Class/x-x-x-x-x
Student name: <student email>
Passphrase: Fortinet1!
Instructor Notes

• The following slides are optional and can be used for the following:
• To remind instructors how to interact with the Fast Track labs
• To help students get started using the hands-on lab
• Feel free to use some, all, or none of the slides as part of your session
• It is recommended to keep the initial instruction short and then assist
students individually as needed
• It is suggested to use no more than the first four of the following slides and
only use the others on a case-by-case basis

83
Student Access
• Classroom URL and password are provided by your instructor

84
 Student Classroom Portal

• View tabs across the top provide

access to lab devices
• FortiFIED Lab Guide: an
interactive lab guide providing
tasks and validating results
• Jumpbox Server: provides
access to links, software, and
tools necessary to complete tasks
• Full Screen Button: makes
current view full screen

85
FortiFIED Interactive Lab Guide

 Enter a Name
 Application banner
 Objectives list
 Display tabs
 Rich text
 Answer choice
 Complete button
 Status bar
 Scale text slider
 Resize display bar

86
 Adjusting the View
1. Right-click the browser tab
and select duplicate from
drop-down menu
2. Tear off the browser tab by
clicking it and dragging the
tab away from the browser
3. Arrange the browser
windows side by side,
based on personal
preference
4. Use the browser zoom to
adjust resolution of views
based on preference

• These same steps can be

used to place a second
browser window on a
separate monitor

87
Keyboard Layouts

• Keyboards on Windows and Linux hosts can be

changed for non-US keyboard environments

• Windows host:
1. Under Environment Actions, use the keyboard drop-
down list to select a keyboard
2. To apply the new keyboard, log out of Jumpbox, then
log back in

88
 Keyboard Layouts (cont)
• Ubuntu 14.04 (NGFW)
1. Must be done from inside the host
2. Log in, click the gear icon on the top right
and click System Settings…
3. Click Keyboard
4. Click Text Entry
5. Click +
6. Select a keyboard layout and click Add
7. Close the window
8. Click the Keyboard Layout icon on top
right and click the new layout

89
 Keyboard Layouts
• Ubuntu 18.04 & Kali Host (Security Fabric & FortiWeb)
1. Must be done from inside the host
2. Log in, click the drop-down list on the top
right and select the Settings icon
3. Click Region and Language and click the +
icon under Input Sources
4. If required, use the button on the bottom of
the window to search for a keyboard
5. Click the keyboard and click Add
6. Close the window
7. Click the Keyboard Layout icon on top right
and click the new layout panel

90
Extended RDP Access
• Easiest and quickest access is through
the browser interface

• RDP client access provided

• RDP config download
• External address link

• Benefits
• Allows students to use an interface that is
most familiar to them
• Custom configuration
• Lets students use a tablet as a secondary
screen

91
Use Tablet as a Secondary Screen

• Install an RDP client on tablet (for

example Parallels)

• Email or transfer the CloudShare

external access link to tablet

• Tablets works well for Jumpbox

access and the FortiFIED app

• Secondary VMs still require using

the web portal interface
92