Fortigate SDWAN – All-In-One internet resilience

SDWAN is booming, and lots of vendors are promoting their SDWAN. According to Wikipedia, any SDWAN should have these characteristics:

  • The ability to support multiple connection types, such as MPLSframe relay and higher capacity LTE wireless communications
  • The ability to do dynamic path selection, for load sharing and resiliency purposes
  • A simple interface that is easy to configure and manage
  • The ability to support VPNs, and third party services such as WAN optimization controllers, firewalls and web gateways

As you can see, all above features have been there on enterprise routers/firewalls quite a long time. So it is kind of marketing jargon after all.

However, this SDWAN has lured numbers of sysadmins and as a result most of SD-WAN solutions obtained some other characteristics we have never seen with enterprise network devices before. In my opinion, the most noteworthy ones are zero touch provisioning and path selection based on SLA of each application. They made daily sysadmin job much easier(especially procurement), and they gave users more selection of what they can do with their existing network connection, though it is not necessarily make sysadmin’s job easier.

SDWAN is easy to get the result — both IT team and users can see the obvious improvement almost instantaneously if it is deployed correctly. So it is easy to get budget, and obviously numbers of enterprise/providers are taking that route. Some study tells very aggressive percentage of SDWAN penetration by 2020.

However, you need to take care which SDWAN solution fits your requirement very carefully. As one study —Gartner Report Highlights Different Vendor SD-WAN Strategies says, SDWAN architecture and its direction is pretty much different from one vendor to the other. For the detail, you better check with your IT partner, but I will introduce Fortigate and Silverpeak.


All-In-One easy internet resiliency? Then Fortigate.

Fortigate SDWAN is meant for internet resiliency. If you are looking for:

  • rather inexpensive
  • all-in-one (web-filtering, anti-virus, application control)
  • two internet circuit resiliency

Fortigate can be in your candidate list.


In the following example, I configured a Fortigate unit to achieve following requirement:

  • Use two internet connection
  • Normal web browsing uses first circuit, it fails over to second circuit if first circuit observes packet loss more than 1% or latency more than 50ms.
  • O365 traffic uses better quality circuit out of two internet circuit.

1. Diagram I used

I setup this test in AWS as shown below:

2. Configure SDWAN

There are three main topic we can configure:

  • SD-WAN … To select which ports are used for SDWAN purpose. usually these are WAN ports connecting to internet.
  • SD-WAN Rule … By default there is a catch-all statement which defines how loadbalancing works. Default value is “source-ip”. So if there are 100 users inside, 50 of them uses first circuit, while the other 50 uses second circuit. You can create application specific rules here as well, which I will go through later.
  • Performance SLA … This is not mandatory for basic SDWAN function to work. If you need granular control of links, you can set SLA here.
SD-WAN

I created a SLA, which keeps sending ICMP packet to 1.1.1.1 from both WAN port.

Performance SLA

And next I create SD-WAN rules.

First one is for O365 traffic. It uses lowest packet_loss AND lowest latency circuit to send O365 traffic.

SD-WAN Rule – O365

Second one is for any other internet traffic. Technically this is not necessary, and internet traffic will be load balanced on both circuits if this is not configured. This time I configured this to demonstrate how the circuit failover works. I use the SLA I created in the precious step.

SD-WAN Rule – Any

As a result, SD-WAN rule looks like this:

SD-WAN Rule list

3. Test

That’s all for SD-WAN configuration. Let’s see the result.

When both circuits are normal, we can observe this in Performance SLA.

performance SLA – normal

And we can see port1 is in use.

SD-WAN usage

Once the SLA detects one of pre-configured values are violated, all traffic is directed to second circuit.

Either

Performance SLA – latency

OR

Performance SLA – loss

Causes circuit failover:

SD-WAN Usage – Failure

This test is very basic, but I hope it helped you to know how Fortigate deploys SDWAN.