Fortinet SD-WAN At Network Field Day 20

Undoubtedly if you have spent any time in the IT industry you have heard the terms, “SD-WAN”, “attack vectors”, “fabric”, and the oft-used “single pane of glass”. Terms tossed about in project meetings from people who have read a glossy and have seen the wondrous panacea of smartly moving applications across multiple links from a single web UI with brightly colored health statistic panels. Not many companies have come close to making all the talk a reality especially in the vendor-agnostic world of today’s networks.

Enter Fortinet.

Stephen Watkins: Security Architect

According to The Motley Fool, Fortinet was in the top-5 performing stocks in 2018 after riding a “wave of security breeches”. Perhaps it was the “wave” pushing Fortinet to public prominence, but frankly, if they didn’t deliver on the technology they would have been cast aside by management, Wall Street, and IT professionals alike. Innovation and execution is king.

As a cybersecurity company, Fortinet employs over 200 researchers in 31 different countries. That’s a significant number of eyeballs and brains thinking about the security posture of Fortinet’s portfolio. Within the Secure SD-WAN product family engineers may steer applications based on circuit health, QoS needs, user ID, and a myriad of other options.

Monitoring and acting on attack signatures is a complex task and the Fortinet FortiManager and FortiAnalyzer are there to assist. Available as an appliance, VM, or cloud installation these tools extend the visibility into all the Fortinet suite of products including multi-vendor partnerships that are Fortinet fabric-ready.

Back in the day when policy-based routing ruled the traffic engineering roost, all we could really do was define the application in an access list and shunt the flow to the next hop. SD-WAN technology changes the game and Fortinet offers ways to make smarter choices based on the health of the circuit. For example, if your voice traffic is traversing your MPLS network and is COS marked ef, whereas all other traffic is in the default queue, Fortinet can monitor those QoS queues and leave your voice traffic in place even if your other traffic is being dropped due to congestion. You as an engineer have complete control in the setup of the application SLAs, and Fortinet can move the traffic so that you maintain compliance.

Think about using that backup circuit into your branch office to carry internal business apps! The one that hits the budget for thousands of dollars a year but can’t be used for anything but Internet traffic. PBR to move apps across different circuits was rudimentary at best and a pain in the keister at worst. Fortinet’s Secure SD-WAN gives you the ability to leverage both circuits for your critical applications and eases deployment to branch offices by using zero touch deployment services.

Architecture For Performance

I’m sure you can imagine the amount of processing power needed for Secure SD-WAN and other security services. FortiGate deals with this in a unique way by separating the heavy lifting of traffic inspection, forwarding, encryption, and AV to different CPUs. Fortinet calls this “parallel processing.” Fortinet made the claim that because of this system architecture, they were able to see a scant 15% performance hit on SSL/VPN inspection rather than the 70% of other vendors. Let me just say that as a first time Network Field Day delegate I was a) shocked a company would be that bold to claim performance numbers in mixed company, and b) the flurry of Slack comments and questions from all the other delegates. Blood in the water!

SD-WAN Architecture, Supported

Nick Shoemaker (NFD20 delegate) was quick to point out the discrepancy in the performance numbers shown on the slide deck. I was impressed that Fortinet stood right in and explained the claim in such a way that it didn’t sound like a used car salesman selling a Jolapy. Fortinet explained that the NSS Labs performance numbers were based on the FortiGate 500E as compared to other vendors in the same line. That 15% hit isn’t expected on the smaller, SOHO, devices  because there’s only so much room for processors. That’s a fair statement.

SD-WAN Architecture, Unsupported

When designing your SD-WAN deployment, architecture is critically important. It will directly impact how you manage the flow of applications across networks, failover and high availability, provisioning, and deployment. If you screw that up the blast radius can be pretty high ranging from circuit costs to complexity to time-to-deploy. In this case the circuits using SD-WAN need to be terminated on a single FortiGate device.

Why does that matter? Again, SD-WAN is PBR on steroids. Simple redirection of traffic to another device just isn’t cutting it. I’d asked Stephen Watkins if circuit termination on redundant hardware would work with Secure SD-WAN. Unfortunately, the answer is no. If you’re designing SD-WAN into your environment and you need hardware redundancy down into the branch office, this will change your design.

I would like to see the ability to make application traffic engineering decisions deeper into the network so that the multi-vendor-redundant-hardware customers could leverage SD-WAN technologies without redesigning their branch connectivity. This speaks to the “vendor agnostic” claims of most vendors, and since Fortinet is working with partners one would hope this function isn’t a pipe dream.

Given the extensive product line of Fortinet, it’s easy to see why they saw such success in 2018. While I only touched the surface of the “Forti-portfolio”—I’d recommend scrolling through the product portion of their website—it is quite expansive covering SD-WAN, security, endpoint protection, WiFi, and switching. Assuming Fortinet’s partnerships with other vendors continue to grow, we may begin to see a true vendor integration of security and network products. For further details go to https://www.Fortinet.com or checkout their presentation at Networking Field Day 20.

Brian Gleason is a full-time Lead Network Engineer for an Austin, Tx company and is currently pursuing the Cisco Certified Internetwork Expert, Data Center certification. He also teaches firearms in his spare time after being a husband to his wonderful wife and father to his three awesome kids. Brian was selected as a delegate to Network Field Day 20 held in San Jose, CA.