LAN/WAN Secure Architecture for Telcos and Service

Providers
Joel Castillo / LATAM SPaC IT Corporate - Business Development Manager
Cristian Ulrich / LATAM SPaC IT Corporate – Sr Business Development Engineer
Networking, Cybersecurity and IT Ecosystem in
Service Providers

Internal Applications and IT Services

CRM, ERP, Billing, Email, Unified Communications.

Customer Facing Applications

Autoservice portals and apps, marketplace.

HQ & Branch Networking and Edge Security

LAN and WAN secure enabled connectivity solutions.

SP Retail Sites Networking & Security

LAN and WAN secure enabled connectivity solutions.

People & Devices Protection

Identity Management and End Point Protection.

© Fortinet Inc. All Rights Reserved. 2

PROBLEM VS. SOLUTION

Problem Solution
Too many frameworks to decide which A simplified approach with solutions made up
direction to take, too many vendors, too many of different products with a high level of
silos, chaotic environments due to rapid integration that drives the deployment of
changes, new regulations security strategy in the organization

© Fortinet Inc. All Rights Reserved. 3

Fortinet’s Converged Secure Network Vision
A secure, integrated approach to campus & branch networking

Fortinet sees three key components to converged secure networking:

1. Security
2. Simplicity
3. Total cost of ownership

The Fortinet Converged Secure Network is unmatched in delivering all three

• We are one of the only vendors recognized in all three related Gartner
Magic Quadrants.

© Fortinet Inc. All Rights Reserved. 4

Delivering a Converged Secure Network

Corporate Network Requirements Convergence High ROI & Low TCO

NGFW

SD-WAN

LTE/5G
Wireless WAN

Wireless
Fewer Licenses
Simplified Operations
Switching

NAC
One Console One Config

© Fortinet Inc. All Rights Reserved. 5

Converged Secure Network - main functions
Blends in well into Gartner’s CSMA story. Organizations adopting a
CSMA strategy will see a 90% reduction in financial impact due to
individual security incidents

SD-WAN secure business outcome driven WAN

• Simplifies traditional WAN complexity
• Better cloud application performance

Secure LAN Edge protecting the access edge

• Consolidation through convergence of
security and network access via FortiLink
• FortiSwitch and FortiAP integrated into FortiGate
as extensions of the NGFW

FortiNAC protecting the device edge

• Auto discovery, classification, and security of IoT
devices as they enter the network.
• Increased visibility and anomaly detection
• FortiGate as a sensor, no additional hardware

© Fortinet Inc. All Rights Reserved. 6

SD-Branch Components

FortiGate FortiAP FortiSwitch

17+ models 20+ models 40+ models

• 802.11ac & Wi-Fi 6 • 1 GE, Multi-GE, 10GE, 100GE
Next Generation Firewall
• Internal or external antenna • Edge Switches
WLAN Controller
• Data Center and Top of Rack
• BLE
Switch Controller
• Rugged Options
Indoor/Outdoor/Wall jack
L2/L3 & Advanced Services

© Fortinet Inc. All Rights Reserved. 7

SD-Branch Components

NAC FortiExtender

FortiLink NAC • Up to Two LTE radios

• Base discovery onboarding and security • Dual SIM support per radio
FortiNAC • CAT 12 speeds (600 Mbps) per
radio
• Advanced discovery and onboarding • Ethernet WAN port
including multi-vendor support and
anomaly detection • Routing capabilities
• Multiple LAN ports

© Fortinet Inc. All Rights Reserved. 8

Secure SDWAN - Enabling Application Resilient Networks
Enhance user experience no matter where application reside

• Secure Local Internet Breakout

• 5,000+ App Identification and custom apps
• First packet steering including encrypted traffic
• SSL Inspection SaaS
• WAN remediation [FEC & Packet Dup]
• Multiple steering options

HA
MPLS
Enhanced 1
App
App1
User
Experience
On-premises
Secure Data Center

Branch Office SD-WAN

2
App

App 2

Public Cloud

Intelligent Steering Reliable Accuracy Continuous Learning Self-healing

Traffic Agnostic Including encrypted traffic Broadest support 5k+ apps Realtime Optimization

© Fortinet Inc. All Rights Reserved. 9

Fortinet SD-WAN as a Foundational Network Technology
Transition at your own pace

Secure
SD-WAN

Secure
SD-Branch

Secure SD-WAN
Purpose-built ASIC
Powered by One OS

SD-WAN

Accelerated and Flexible Deployment for Thin, WAN and SD-Branch Edges
© Fortinet Inc. All Rights Reserved. 10
Evolution of SD-WAN from Point Product to The Platform
Gartner: Two Most Topics Discussed with SD-WAN in 2021 – Security and Cloud

Secure SD-Branch ZTNA & SASE AIOps

SD-WAN
SD-WAN

Was all about network Adding security services • Build out SD-Branch with • ZTNA and SASE Advanced AIOps & DEM
transformation replacing LAN integration integration services
routers
• Build out WAN with 5G • Multi-cloud and cloud
on-ramp

© Fortinet Inc. All Rights Reserved. 11

Use Case - Single Internet Access
Application priorization and traffic shaping

• Define Critical business applications (can recognize other SSE/SASE

vendors traffic such as Zscaler and Netskope)
• Classify traffic based on Apps, users, groups, etc
1

© Fortinet Inc. All Rights Reserved. 12

Use Case - Single Internet Access
Application priorization and traffic shaping

• Define shaping profiles for BW management and queue priorization

4
• Apply on interface

© Fortinet Inc. All Rights Reserved. 13

Use Case - Single Internet Access
Application priorization and traffic shaping

• Real time monitoring

on FortiManager and
historical Reports on
FortiAnalyzer

© Fortinet Inc. All Rights Reserved. 14

Use Case - Multiple links
Application Steering based on link SLA 3

1
Performance SLA SD-WAN Rules
• Health probes to measure latency, • Match different types of traffic and apply
jitter and packet-loss over different desired steering strategy to it
SD-WAN Interface Members Members
• Selecting the right Member for each session,
& Zones considering its current health and SLA status
• Different probe protocols
• Nearly any FortiGate interface
can be a member • Ping, DNS, HTTP, TWAMP, • Different match criteria
TCP/UDP Echo
• Physical ports, VLANs, LAGs, • L3-L7, Application, ISDB, User Group…
IPSEC/GRE/IPIP, FEX… • Zero or more SLA Targets
• Different steering strategies
• Grouped into SD-WAN Zones • For different applications
• Pick the cheapest Member that meets SLA target

• Can have different cost/priority • Load-balance across Members that meet SLA target

• Pick the Member with the best quality

• © Fortinet Inc. All Rights Reserved.

Pick a particular Member 15
Use Case - Multiple links

IP Version: IPv4 or IPv6

Protocol: Use ping or http to test the link with the server
Server: IP address or FQDN name of the server. If two
servers are configured, both needs fail to link be detected
as offline
Participants: Interfaces members for this health-check

SLA Targets (optional). Used in SD-WAN Rule SLA Strategy

Status check interval, or the time between attempting to

connect to the server
Number of failures before server is considered lost
Number of successful responses received before server is
considered recovered

Enable/disable updating the static route

When enabled and health-check fail, FortiOS will disable
static routes for inactive interfaces
© Fortinet Inc. All Rights Reserved. 16
Use Case - Multiple links
Performance SLA

Health Check Method Description

PING Use PING to test the link with the server.

TCP-ECHO Use TCP echo to test the link with the server.

UDP-ECHO Use UDP echo to test the link with the server.

HTTP Use HTTP-GET to test the link with the server.

TWAMP Use TWAMP to test the link with the server.

Use DNS query to test the link with the server.

DNS The FortiGate sends a DNS query for an A Record and the response matches the expected IP address.
Use a full TCP connection to test the link with the server.
The method to measure the quality of the TCP connection can be:
TCP-CONNECT •half-open: FortiGate sends SYN and gets SYN-ACK. The latency is based on the round trip between SYN and
SYN-ACK (default).
•half-close: FortiGate sends FIN and gets FIN-ACK. The latency is based on the round trip between FIN and FIN-ACK.
Use FTP to test the link with the server.
The FTP mode can be:
FTP •passive: The FTP health-check initiates and establishes the data connection (default).
•port: The FTP server initiates and establishes the data connection.

© Fortinet Inc. All Rights Reserved. 17

Use Case - Multiple links
Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check

measurements using session information that is captured on firewall
policies that have Passive Health Check (passive-wan-health-
measurement) enabled.

Passive measurements analyze session information that is gathered from

various TCP sessions to determine the jitter, latency, and packet loss.

Using passive WAN health measurement reduces the amount of

configuration required and decreases the traffic that is produced by health
check monitor probes doing active measurements.

Passive WAN health measurement analyzes real-life traffic; active WAN

health measurement using a detection server might not reflect the real-life
traffic.

© Fortinet Inc. All Rights Reserved. 18

Use Case - Multiple links
SD-WAN Rules
SD-WAN rules control how sessions are distributed to SD-WAN members. You can configure SD-WAN rules from the GUI and CLI.
From the GUI, go to Network > SD-WAN > SD-WAN Rules. When creating a new SD-WAN rule, or editing an existing SD-WAN rule,
use the Source and Destination sections to identify traffic, and use the Outgoing interfaces section to configure WAN intelligence for
routing traffic.

Identifying Traffic

Source (optional) fields. Accept IP/Mask and User Group

Destination address, protocol, Internet Service and

Application Control

© Fortinet Inc. All Rights Reserved. 19

Use Case - Multiple links
SD-WAN Rules
SD-WAN rules control how sessions are distributed to SD-WAN members. You can configure SD-WAN rules from the GUI and CLI.
From the GUI, go to Network > SD-WAN > SD-WAN Rules. When creating a new SD-WAN rule, or editing an existing SD-WAN rule,
use the Source and Destination sections to identify traffic, and use the Outgoing interfaces section to configure WAN intelligence for
routing traffic.

WAN intelligence

Outgoing interfaces can be selected based on Manual,

Best Quality, Lowest Cost (SLA) and Maximize Bandwidth

zone have lower priority than interfaces

© Fortinet Inc. All Rights Reserved. 20

Use Case – Multicloud Integration
Fortigate VM or Cloud-Native integration

• Fortinet Secure SD-WAN can be deployed with FortiGate VM or with cloud-native connectivity services such as AWS TGW Connect, Azure
Virtual WAN, and Google NCC.

© Fortinet Inc. All Rights Reserved. 21

Use Case – Integration with 3rd party SSE/SASE vendors
Zscaler interoperability

https://docs.fortinet.com/document/fortigate/6.4.2/sd-wan-deployment-with-zscaler/938236/zscaler-internet-access-and-fortinet-sd-wan
© Fortinet Inc. All Rights Reserved. 22
Use Case – Integration with 3rd party SSE/SASE vendors
Zscaler interoperability

https://help.zscaler.com/zia/ipsec-vpn-configuration-guide-fortigate-60d-firewall
© Fortinet Inc. All Rights Reserved. 23
Use Case – Central MGMT, monitoring and reporting
FortiManager

Provisioning Templates
Security Zero-Touch
System IPSec & CLI SD-WAN Policy
… Packages
Templates Templates Templates

Model
Device Groups
Device

Templating Staging Deploying

© Fortinet Inc. All Rights Reserved. 24

SD-WAN Templates
Device Manager > Provisioning Templates > SD-WAN Templates

• Configure an SD-WAN
template
o Create zones (or use
default) and interface
members

o Create performance
SLA and select your
health-check server (or
use default defined)

o Create SD-WAN rules

or use default implicit
rule

© Fortinet Inc. All Rights Reserved. 25

Assigned Devices
• Assign SD-WAN template to Devices or Groups

© Fortinet Inc. All Rights Reserved. 26

Configure Firewall Policy
• Configure SD-WAN firewall policy
• Create a policy package
• Firewall policy referencing SD-WAN Zones
• Add device or group to installation target and install

Policy & Objects > Firewall Policy

© Fortinet Inc. All Rights Reserved. 27

Check SD-WAN Status
• FortiManager
o Monitor SD-WAN interfaces and traffic status using SD-WAN Monitor
Map View
Device Manager > Monitor > SD-WAN Monitor

Table View

© Fortinet Inc. All Rights Reserved. 28

FortiOS SD-WAN
Zero Touch Provisioning – How it works ?

DeployedAssign
Fortinet
device
Order
Deployed FortiManager
registers
will
will get
Provision
the FortiGates
device your
fetch your
itsits
fullIP
devices
along devices
to registered
with
in
management in
configuration FortiCloud
devices
from
FortiManager
a FortiDeploy
details FortiManager
from SKU
FortiCloud

FortiManager FortiGate FortiCloud

Customer Fortinet

© Fortinet Inc. All Rights Reserved. 29

Use Case – Central MGMT, monitoring and reporting
FortiAnalyzer

• Two pre-built SD-WAN report templates

• Flexible and powerful reports engine
allows creation of granular and
customized reports

© Fortinet Inc. All Rights Reserved. 30

Q&A

© Fortinet Inc. All Rights Reserved. 31