The Complete Technical Guide to FortiGate SD-WAN Implementation and Architecture

Software-defined Wide Area Networking (SD-WAN) has emerged as a transformative technology for enterprise networks, offering unprecedented flexibility, security, and cost efficiency compared to traditional WAN solutions. Among the various SD-WAN providers in the market, Fortinet’s FortiGate SD-WAN stands out due to its integrated security framework, hardware acceleration capabilities, and unified management console. This comprehensive guide explores the technical intricacies of FortiGate SD-WAN, from its fundamental architecture to advanced implementation strategies, helping cybersecurity professionals and network engineers deploy and optimize secure SD-WAN infrastructures.

Understanding SD-WAN Technology Fundamentals

Before diving into FortiGate’s specific implementation, it’s essential to understand what makes SD-WAN different from traditional networking approaches. Software-defined WAN applies software-defined networking principles to connect enterprise networks – including branch offices and data centers – over large geographic distances. Unlike traditional WAN technologies that rely heavily on dedicated MPLS circuits, SD-WAN can utilize multiple connection types simultaneously, including broadband internet, 4G/5G, and MPLS.

The key technical components that define SD-WAN include:

• Control Plane Separation: SD-WAN architectures separate the control plane (management and traffic engineering) from the data plane (actual packet forwarding), allowing centralized management of distributed network devices.
• Dynamic Path Selection: Real-time traffic steering across multiple WAN links based on application requirements, link quality, and business policies.
• Application-Aware Routing: The ability to identify applications at Layer 7 and apply specific routing decisions based on application characteristics.
• Transport Independence: SD-WAN can operate over any type of WAN transport, including MPLS, broadband, LTE, and satellite connections.
• Zero-Touch Provisioning: Automated deployment of network devices at remote locations without requiring technical staff on-site.

Traditional networking architectures routed traffic based primarily on Layer 3 information, while SD-WAN makes intelligent decisions based on application requirements, network conditions, and business rules. This paradigm shift enables organizations to deploy cost-effective internet connections alongside or in place of expensive MPLS circuits without sacrificing performance for critical applications.

FortiGate SD-WAN Architecture and Components

Fortinet’s SD-WAN solution integrates directly into its FortiGate Next-Generation Firewall (NGFW) platform, creating what Fortinet calls a “Secure SD-WAN” approach. This architecture fundamentally differs from other SD-WAN vendors who often add security as an overlay or additional service. With FortiGate SD-WAN, the security capabilities and SD-WAN functions operate on the same platform, powered by custom ASICs (Application-Specific Integrated Circuits) that enable wire-speed performance even with full security inspection enabled.

Core Components of FortiGate SD-WAN

• FortiGate Devices: Physical or virtual next-generation firewalls that serve as the SD-WAN edge devices at each location.
• FortiManager: Centralized management platform that provides policy configuration, zero-touch provisioning, and network-wide visibility.
• FortiAnalyzer: Analytics and reporting platform that collects and processes logs from FortiGate devices, providing SD-WAN health metrics, application usage, and security event correlation.
• FortiOS: The operating system that powers FortiGate devices, containing both the SD-WAN and security functionality.
• Security Processing Units (SPUs): Custom ASIC hardware that accelerates both security functions and SD-WAN capabilities, available in most physical FortiGate models.

The architecture employs a unique approach called “Security-Driven Networking,” where security and networking functions are converged rather than bolted together. This convergence is made possible by FortiOS, which natively integrates SD-WAN capabilities with the full security stack, including firewall, IPS, web filtering, antivirus, and SSL inspection.

Unlike overlay SD-WAN solutions that operate independently of the underlying network, FortiGate SD-WAN is deployed in-path. This means the FortiGate becomes the edge device at each location, handling both security inspection and SD-WAN functionality. This in-path deployment model provides complete visibility into all traffic passing through the network, enabling more effective security controls.

ASIC Acceleration: FortiGate’s Technical Advantage

A significant technical differentiator for FortiGate SD-WAN is the use of purpose-built ASICs for hardware acceleration. Unlike general-purpose CPUs used in many competing solutions, Fortinet’s custom silicon provides dedicated hardware for processing packets, encryption/decryption, and security functions.

The two primary ASICs in FortiGate devices are:

1. System-on-a-Chip (SoC4): Found in entry-level and mid-range FortiGate models, combining CPU, network interfaces, and hardware acceleration.
2. Content Processor (CP9): Dedicated to cryptographic operations, significantly accelerating VPN performance in high-end models.

These ASICs deliver substantial performance benefits, particularly for secure SD-WAN deployments where encryption/decryption operations are frequent. For example, a mid-range FortiGate 100F with ASIC acceleration can achieve up to 1 Gbps of IPsec VPN throughput, while similarly priced appliances from competitors without hardware acceleration might deliver only a fraction of this performance.

According to Fortinet engineering benchmarks, enabling full security inspection (including SSL decryption) in software-based SD-WAN solutions can reduce throughput by up to 80%, while FortiGate’s ASIC-accelerated approach maintains near wire-speed performance even with security enabled.

FortiGate SD-WAN Technical Implementation

Implementing FortiGate SD-WAN involves several technical steps and considerations. This section explores the practical aspects of deployment, from initial configuration to advanced features.

Initial SD-WAN Configuration on FortiGate

The basic implementation of SD-WAN on a FortiGate involves defining SD-WAN interfaces, creating an SD-WAN zone, establishing performance SLAs, and configuring SD-WAN rules. Below is a step-by-step configuration example using the FortiGate CLI:

# 1. Define the WAN interfaces that will participate in SD-WAN
config system interface
    edit "wan1"
        set mode static
        set ip 203.0.113.1/24
        set allowaccess ping https ssh
    next
    edit "wan2"
        set mode static
        set ip 198.51.100.1/24
        set allowaccess ping https ssh
    next
end

# 2. Create the SD-WAN interface
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set gateway 203.0.113.254
        next
        edit 2
            set interface "wan2"
            set gateway 198.51.100.254
        next
    end
end

# 3. Define Performance SLA monitoring targets
config system sdwan
    config health-check
        edit "Google"
            set server "8.8.8.8"
            set protocol ping
            set interval 1000
            set failtime 5
        next
        edit "Office365"
            set server "outlook.office365.com"
            set protocol ping
            set interval 1000
            set failtime 5
        next
    end
end

# 4. Create SD-WAN rules for routing traffic
config system sdwan
    config service
        edit 1
            set name "Office365-traffic"
            set dst "Office365-subnet"
            set health-check "Office365"
            set priority-members 1 2
        next
        edit 2
            set name "General-Internet"
            set dst "all"
            set health-check "Google"
            set priority-members 1 2
        next
    end
end

# 5. Create firewall policy to allow traffic through SD-WAN
config firewall policy
    edit 1
        set name "SD-WAN-to-Internet"
        set srcintf "internal"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

The configuration above establishes a basic SD-WAN setup with two WAN connections, monitoring of critical services, and traffic steering based on destination and link health. While the CLI offers the most granular control, the same configuration can be accomplished through the FortiGate GUI, which provides visualization tools that make it easier to understand the SD-WAN topology and behavior.

Application-Based Routing and SLA Definitions

FortiGate SD-WAN’s application-based routing is a cornerstone feature that allows traffic steering based on application identification. This capability leverages FortiOS’s deep packet inspection and application signatures to identify over 5,000 applications and services.

Application detection works through multiple methods:

1. Deep packet inspection of the first few packets in a flow
2. Protocol decoders that understand application behaviors
3. TLS certificate analysis for encrypted traffic
4. DNS request monitoring to identify applications before connections are established

Once applications are identified, Service Level Agreement (SLA) targets can be defined to ensure optimal performance. SLAs typically monitor:

• Latency: Round-trip time for packets
• Jitter: Variation in packet arrival times (critical for VoIP and video)
• Packet Loss: Percentage of packets that fail to reach their destination
• Bandwidth: Available throughput on the link

Here’s an advanced SLA configuration example that creates different profiles for voice, video, and data applications:

# Create SLA profiles for different application categories
config system sdwan
    config health-check
        edit "VoIP-SLA"
            set server "sip-server.example.com"
            set protocol tcp-echo
            set port 5060
            set interval 500
            set failtime 3
            set sla-fail-log-period 60
            config sla
                edit 1
                    set link-cost-factor latency jitter packet-loss
                    set latency-threshold 100
                    set jitter-threshold 30
                    set packetloss-threshold 1
                next
            end
        next
        edit "Video-SLA"
            set server "video.example.com"
            set protocol udp
            set interval 500
            set failtime 3
            config sla
                edit 1
                    set link-cost-factor latency packet-loss
                    set latency-threshold 150
                    set packetloss-threshold 2
                next
            end
        next
    end
end

# Configure application-based routing rules
config system sdwan
    config service
        edit 1
            set name "VoIP-Traffic"
            set mode priority
            set src "all"
            set dst "all"
            set internet-service enable
            set internet-service-app-ctrl 34640 36452  # Zoom and Teams app IDs
            set health-check "VoIP-SLA"
            set priority-members 1 2
        next
        edit 2
            set name "Video-Streaming"
            set mode sla
            set src "all"
            set dst "all"
            set internet-service enable
            set internet-service-app-ctrl 41468 31011  # YouTube and Netflix app IDs
            set health-check "Video-SLA"
            config sla
                edit "Video-SLA"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end

This configuration creates specific SLA targets for VoIP and video traffic, with different thresholds for latency, jitter, and packet loss. The SD-WAN rules then use application detection to identify specific applications like Zoom, Microsoft Teams, YouTube, and Netflix, routing them according to the appropriate SLA profile.

Multi-Path Technology and Load Balancing

FortiGate SD-WAN supports several modes of operation for utilizing multiple WAN links:

1. Priority-Based: Links are used in order of preference, with failover to lower-priority links when higher-priority links fail.
2. Performance-Based (SLA): Traffic is routed based on which link best meets the defined SLA criteria.
3. Load Balancing: Traffic is distributed across available links using volume-based, session-based, or source-IP-based algorithms.
4. Spillover: A primary link is used until a bandwidth threshold is reached, then additional traffic “spills over” to secondary links.

For mission-critical applications like voice and video conferencing, FortiGate also offers Forward Error Correction (FEC) and packet duplication features. These can significantly improve application performance over unreliable WAN connections:

• Forward Error Correction: Adds redundant data to transmitted packets, enabling the receiver to reconstruct lost packets without requiring retransmission.
• Packet Duplication: Sends identical packets across multiple WAN links, ensuring delivery even if one link experiences packet loss.

Here’s how to configure these features on FortiGate:

# Configure Forward Error Correction for VoIP traffic
config system sdwan
    config service
        edit 3
            set name "VoIP-with-FEC"
            set mode priority
            set src "all"
            set dst "all"
            set protocol 17  # UDP
            set start-port 5060
            set end-port 5080
            set health-check "VoIP-SLA"
            set priority-members 1 2
            set packet-de-duplication enable
            set packet-duplication enable
            set duplicate-to 2
            set fec-redundant 50
            set fec-egress-interfaces "wan1" "wan2"
        next
    end
end

This configuration enables both FEC and packet duplication for VoIP traffic, with 50% redundancy for error correction and packets duplicated across both WAN links. While these features increase bandwidth usage, they can dramatically improve the quality of real-time applications over problematic WAN connections.

Secure SD-WAN: FortiGate’s Security Integration

What truly distinguishes FortiGate’s SD-WAN solution is its comprehensive security integration. Unlike many SD-WAN products that provide basic security features or require separate security appliances, FortiGate embeds enterprise-grade security directly into the SD-WAN fabric.

Zero Trust Network Access and SD-WAN

FortiGate’s SD-WAN implementation supports a Zero Trust Network Access (ZTNA) model, where all users and devices are authenticated and authorized before gaining access to applications and resources, regardless of their network location.

This integration enables several advanced security scenarios:

1. Identity-aware SD-WAN policies that route traffic differently based on user identity or group membership
2. Device posture checking before allowing access to sensitive applications
3. Application-based micro-segmentation across the WAN
4. Integration with FortiClient for continuous endpoint telemetry and security posture assessment

The configuration below demonstrates how to implement identity-based SD-WAN policies:

# Configure user authentication
config user ldap
    edit "corporate-ldap"
        set server "10.1.1.50"
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set username "cn=admin,dc=example,dc=com"
        set password ENC2xxxxxxxxxxxxxxxx
    next
end

config user group
    edit "executives"
        set member "corporate-ldap"
        set group-type fsso-ldap
    next
    edit "developers"
        set member "corporate-ldap"
        set group-type fsso-ldap
    next
end

# Configure identity-based SD-WAN rules
config system sdwan
    config service
        edit 4
            set name "Executive-Traffic"
            set mode priority
            set src "all"
            set dst "all"
            set internet-service enable
            set internet-service-app-ctrl-group "Critical-Business-Apps"
            set groups "executives"
            set priority-members 1  # Route through MPLS for highest quality
        next
        edit 5
            set name "Developer-Traffic"
            set mode sla
            set src "all"
            set dst "all"
            set internet-service enable
            set internet-service-app-ctrl-group "Development-Tools"
            set groups "developers"
            set health-check "Default-SLA"
            config sla
                edit "Default-SLA"
                    set id 1
                next
            end
            set priority-members 2 1  # Prefer broadband, fallback to MPLS
        next
    end
end

This configuration creates different SD-WAN policies for executives and developers, routing executive traffic through the premium MPLS link while developers’ traffic uses broadband first and MPLS only when needed. The policy application is automatic based on user authentication, creating a Zero Trust model where both identity and application are factors in routing decisions.

SD-WAN Security Features and Threat Protection

FortiGate’s SD-WAN includes comprehensive security features that operate at wire speed thanks to the ASIC acceleration:

• SSL/TLS Inspection: Decrypts encrypted traffic to inspect for threats, with hardware acceleration on most models
• Next-Generation Firewall (NGFW): Application-aware firewalling with granular control
• Intrusion Prevention System (IPS): Real-time protection against network-based threats
• Web Filtering: Category-based and reputation-based web access control
• Data Loss Prevention (DLP): Prevents sensitive data exfiltration across the WAN
• Anti-Malware: Scans files for malicious content

Enabling these security features in an SD-WAN context requires careful profile configuration to balance security and performance. Here’s an example configuration for a secure SD-WAN deployment:

# Configure security profiles
config firewall profile-protocol-options
    edit "default"
        config http
            set ports 80
            set status enable
            set inspect-all enable
            set proxy-after-tcp-handshake disable
        end
        config https
            set ports 443
            set status enable
            set inspect-all enable
            set proxy-after-tcp-handshake disable
        end
    next
end

config antivirus profile
    edit "sd-wan-av"
        config http
            set status enable
        end
        config https
            set status enable
        end
    next
end

config webfilter profile
    edit "sd-wan-webfilter"
        set https-replacemsg enable
        config web
            set whitelist enable
        end
        config ftgd-wf
            set options https-scan
            config filters
                edit 1
                    set category 26  # Malware
                    set action block
                next
            end
        end
    next
end

config ips sensor
    edit "sd-wan-ips"
        set comment "IPS profile for SD-WAN"
        config entries
            edit 1
                set severity high
                set status enable
                set action block
            next
        end
    next
end

# Apply security profiles to SD-WAN policy
config firewall policy
    edit 1
        set name "SDWan-to-Internet"
        set srcintf "internal"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "sd-wan-av"
        set webfilter-profile "sd-wan-webfilter"
        set ips-sensor "sd-wan-ips"
        set application-list "default"
        set logtraffic all
        set nat enable
    next
end

This configuration enables comprehensive security inspection for all traffic passing through the SD-WAN interfaces, including SSL/TLS decryption, antivirus scanning, web filtering, intrusion prevention, and application control. The security profiles are applied to the firewall policy that handles traffic between internal networks and the SD-WAN virtual interface.

One unique aspect of FortiGate’s approach is that security inspection happens before SD-WAN routing decisions, allowing the system to block malicious traffic before it consumes WAN bandwidth. This integrated security architecture provides superior protection compared to solutions that apply security after routing decisions have been made.

FortiGate SD-WAN in Enterprise Deployments

Deploying FortiGate SD-WAN in enterprise environments involves considerations beyond basic setup and security. This section addresses scalability, high availability, and integration with existing infrastructure.

Hub-and-Spoke vs. Mesh Topologies

FortiGate SD-WAN supports both hub-and-spoke and full-mesh topologies, each with distinct advantages:

• Hub-and-Spoke: Branch locations connect to central hub sites, which provide connectivity between branches and to data centers and cloud resources. This model centralizes security control and simplifies management but may introduce latency for branch-to-branch communication.
• Full Mesh: Each location can communicate directly with any other location, reducing latency but increasing complexity and potentially requiring more VPN tunnels.
• Partial Mesh: A hybrid approach where some locations connect directly to each other, while others communicate through hubs.

For most enterprises, a hub-and-spoke model with regional hubs provides the best balance of performance and manageability. Here’s how to configure a hub-and-spoke SD-WAN deployment with FortiGate:

# On hub FortiGate - Configure VPN template
config vpn ipsec phase1-interface
    edit "hub-template"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device enable
        set proposal aes256-sha256
        set dpd on-idle
        set psksecret "strong-pre-shared-key"
        set dpd-retrycount 3
        set dpd-retryinterval 5
    next
end

config vpn ipsec phase2-interface
    edit "hub-template_p2"
        set phase1name "hub-template"
        set proposal aes256-sha256
        set auto-negotiate enable
    next
end

# On spoke FortiGate - Configure VPN to hub
config vpn ipsec phase1-interface
    edit "to-hub-vpn"
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device enable
        set proposal aes256-sha256
        set dpd on-idle
        set remote-gw 203.0.113.100
        set psksecret "strong-pre-shared-key"
    next
end

config vpn ipsec phase2-interface
    edit "to-hub-vpn_p2"
        set phase1name "to-hub-vpn"
        set proposal aes256-sha256
        set auto-negotiate enable
    next
end

# Configure SD-WAN to use VPN overlay
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "overlay"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set zone "virtual-wan-link"
        next
        edit 2
            set interface "wan2"
            set zone "virtual-wan-link"
        next
        edit 3
            set interface "to-hub-vpn"
            set zone "overlay"
        next
    end
end

# Create SD-WAN rules for different traffic types
config system sdwan
    config service
        edit 1
            set name "Branch-to-DC-Traffic"
            set dst "datacenter-servers"
            set src "branch-networks"
            set priority-zone "overlay"
        next
        edit 2
            set name "Branch-to-Internet"
            set dst "all"
            set src "branch-networks"
            set priority-zone "virtual-wan-link"
        next
    end
end

This configuration establishes a hub-and-spoke model where branch offices connect to a central hub via IPsec VPNs. The SD-WAN configuration separates the direct internet connections (virtual-wan-link zone) from the VPN overlay (overlay zone), allowing different routing policies for different traffic types. Branch-to-datacenter traffic is routed through the secure overlay, while internet traffic can use direct connections.

High Availability and Redundancy

Enterprise SD-WAN deployments require high availability to ensure continuous operation. FortiGate supports several redundancy mechanisms:

1. FortiGate Clustering (FGCP): Active-passive or active-active clusters of FortiGate devices provide hardware redundancy.
2. WAN Path Redundancy: Multiple WAN connections with automatic failover ensure continuous connectivity.
3. Hub Redundancy: Multiple hub sites can be configured for regional failover.

Here’s a configuration example for a high-availability FortiGate cluster in an SD-WAN deployment:

# Configure HA cluster
config system ha
    set mode a-p
    set group-name "SD-WAN-Cluster"
    set hbdev "port3" 50
    set session-pickup enable
    set override disable
    set priority 200
    set monitor "wan1" "wan2"
end

# Configure SD-WAN with HA considerations
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set gateway 203.0.113.254
        next
        edit 2
            set interface "wan2"
            set gateway 198.51.100.254
        next
    end
    # Health checks should use shared IP not individual FortiGate IPs
    config health-check
        edit "datacenter-monitor"
            set server "10.100.1.1"
            set protocol ping
            set ha-priority 1
            set diffservcode "101110"
        next
    end
end

This configuration creates an active-passive FortiGate cluster for SD-WAN, with session synchronization to ensure failover doesn’t disrupt existing connections. The ha-priority setting in the health check configuration ensures that if only one path is available, the primary FortiGate in the cluster will use it.

Integration with SASE and Zero Trust

FortiGate SD-WAN serves as the foundation for broader security transformations, including Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA). It integrates with other Fortinet and third-party components to create a comprehensive security framework:

• FortiSASE: Cloud-delivered security services that extend the SD-WAN security perimeter
• FortiClient: Endpoint protection and secure remote access client that enforces zero trust principles
• FortiNAC: Network Access Control for IoT and unmanaged devices
• FortiDeceptor: Deception technology to detect lateral movement attempts

A key integration point is between SD-WAN and cloud access security broker (CASB) functionality, which secures SaaS application usage:

# Configure SAML SSO for SaaS application access
config user saml
    edit "office365-saml"
        set cert "Fortinet_Factory"
        set entity-id "https://auth.fortinet.com"
        set single-sign-on-url "https://login.microsoftonline.com/common/saml2"
        set single-logout-url "https://login.microsoftonline.com/common/samllogout"
    next
end

# Configure CASB inspection profile
config firewall profile-protocol-options
    edit "casb-profile"
        config http
            set status enable
        end
        config https
            set status enable
            set ssl-anomalies-check enable
        end
    next
end

# Create CASB policy for SaaS applications
config firewall policy
    edit 10
        set name "CASB-Policy"
        set srcintf "virtual-wan-link"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set application-list "saas-apps"
        set profile-protocol-options "casb-profile"
        set logtraffic all
    next
end

This configuration creates a SAML integration for single sign-on to Microsoft 365, along with deep SSL inspection and application control specifically for SaaS applications. When combined with SD-WAN, this creates a secure access model where users are authenticated before accessing cloud services, and all traffic is inspected for threats and data leakage.

Advanced FortiGate SD-WAN Techniques and Optimization

Beyond basic deployment, several advanced techniques allow network engineers to optimize FortiGate SD-WAN for specific requirements. This section explores techniques that can enhance performance, reliability, and manageability in complex environments.

WAN Path Controllers and Advanced Routing

FortiGate SD-WAN includes sophisticated path control mechanisms that extend beyond simple failover or load balancing. The SD-WAN service rules can be configured to make routing decisions based on multiple factors simultaneously:

• Source and destination addresses
• Application identification
• User and device identity
• Time of day
• Link quality metrics (latency, jitter, packet loss)
• Link loading and bandwidth availability

These capabilities enable advanced traffic engineering scenarios like these examples:

# Configure time-based SD-WAN rules
config system sdwan
    config service
        edit 10
            set name "Business-Hours-VoIP"
            set mode sla
            set src "all"
            set dst "all"
            set protocol 17
            set start-port 5060
            set end-port 5080
            set day-of-week monday tuesday wednesday thursday friday
            set start-time "08:00"
            set end-time "18:00"
            set health-check "VoIP-SLA"
            config sla
                edit "VoIP-SLA"
                    set id 1
                next
            end
            set priority-members 1 2
        next
        edit 11
            set name "After-Hours-VoIP"
            set mode load-balance
            set src "all"
            set dst "all"
            set protocol 17
            set start-port 5060
            set end-port 5080
            set day-of-week monday tuesday wednesday thursday friday
            set start-time "18:00"
            set end-time "08:00"
            set health-check "VoIP-SLA"
            set priority-members 1 2
        next
    end
end

This configuration creates different routing behaviors for VoIP traffic during business hours versus after hours. During business hours, traffic is routed based on strict SLA requirements to ensure call quality. After hours, when fewer calls occur, a load-balancing approach is used to distribute traffic across available links.

FortiGate SD-WAN can also integrate with traditional routing protocols to create hybrid routing environments:

# Configure BGP for SD-WAN integration
config router bgp
    set as 65001
    set router-id 10.0.0.1
    config neighbor
        edit "10.1.1.1"
            set remote-as 65002
            set interface "port1"
        next
    end
    config network
        edit 1
            set prefix 192.168.0.0/24
        next
    end
end

# Configure SD-WAN route injection
config system sdwan
    config health-check
        edit "Internet-Health"
            set server "8.8.8.8"
            set protocol ping
            set interval 1000
            set failtime 5
            set recoverytime 5
            set update-static-route enable
        next
    end
end

# Configure SD-WAN to BGP route redistribution
config router bgp
    config redistribute "sd-wan"
        set status enable
    end
end

This configuration integrates SD-WAN with BGP routing, enabling dynamic advertisement of path availability to upstream routers. The update-static-route option allows the health check to update static routes when links fail, while the BGP redistribution ensures that these changes are propagated to other routers in the network.

QoS and Traffic Shaping in SD-WAN Environments

FortiGate SD-WAN includes sophisticated Quality of Service capabilities that can be applied differently across multiple WAN links. This allows for granular traffic prioritization and bandwidth management:

# Configure traffic shaping for different link types
config system interface
    edit "wan1"  # MPLS link
        set estimated-upstream-bandwidth 10000
        set estimated-downstream-bandwidth 10000
        set vlanid 100
    next
    edit "wan2"  # Broadband link
        set estimated-upstream-bandwidth 50000
        set estimated-downstream-bandwidth 100000
    next
end

# Define traffic shapers for different traffic classes
config firewall shaper traffic-shaper
    edit "voip-traffic"
        set guaranteed-bandwidth 2000
        set maximum-bandwidth 4000
        set priority high
    next
    edit "business-apps"
        set guaranteed-bandwidth 5000
        set maximum-bandwidth 8000
        set priority medium
    next
    edit "web-browsing"
        set guaranteed-bandwidth 1000
        set maximum-bandwidth 10000
        set priority low
    next
end

# Create shaping policy to apply shapers
config firewall shaping-policy
    edit 1
        set name "VoIP-Shaping"
        set service "SIP" "SCCP" "H323"
        set dstintf "virtual-wan-link"
        set traffic-shaper "voip-traffic"
        set traffic-shaper-reverse "voip-traffic"
        set priority 1
    next
    edit 2
        set name "Business-App-Shaping"
        set application-list "business-apps"
        set dstintf "virtual-wan-link"
        set traffic-shaper "business-apps"
        set traffic-shaper-reverse "business-apps"
        set priority 2
    next
    edit 3
        set name "Web-Browsing"
        set application-list "web-browsing"
        set dstintf "virtual-wan-link"
        set traffic-shaper "web-browsing"
        set traffic-shaper-reverse "web-browsing"
        set priority 3
    next
end

This configuration first defines the bandwidth characteristics of each WAN link, then creates traffic shapers for different application categories with varying bandwidth guarantees and priorities. Finally, it applies these shapers to different traffic types through shaping policies, ensuring that each application receives appropriate treatment as it traverses the SD-WAN.

The integration of QoS with SD-WAN creates a powerful combination where traffic is not only routed over the optimal path but also prioritized appropriately on each path. This provides superior application performance compared to solutions that only address path selection without considering bandwidth contention.

Automation and APIs for SD-WAN Management

FortiGate SD-WAN supports extensive automation capabilities through its REST API, CLI scripts, and automation framework. These tools enable programmatic control of SD-WAN behavior, integration with external systems, and automated responses to network events.

Example REST API call to retrieve SD-WAN status:

curl -k -X GET "https://fortigate-ip/api/v2/monitor/virtual-wan/status" \
     -H "Authorization: Bearer $API_TOKEN"

Example automation stitch to adjust SD-WAN routing based on time of day:

config system automation-stitch
    edit "Business-Hours-Routing"
        set status enable
        set trigger "Business-Hours-Start"
        set action "Set-Business-Priority"
    next
    edit "After-Hours-Routing"
        set status enable
        set trigger "Business-Hours-End"
        set action "Set-Cost-Priority"
    next
end

config system automation-trigger
    edit "Business-Hours-Start"
        set type event-based
        set event "schedule"
        set logid 44544
    next
    edit "Business-Hours-End"
        set type event-based
        set event "schedule"
        set logid 44545
    next
end

config system automation-action
    edit "Set-Business-Priority"
        set action-type cli-script
        set script "config system sdwan
                    config service
                      edit 1
                        set mode sla
                      next
                    end
                  end"
    next
    edit "Set-Cost-Priority"
        set action-type cli-script
        set script "config system sdwan
                    config service
                      edit 1
                        set mode cost
                      next
                    end
                  end"
    next
end

This automation configuration changes SD-WAN routing behavior automatically at the start and end of business hours. During business hours, it prioritizes SLA-based routing to ensure application performance, while after hours it switches to cost-based routing to minimize expenses.

For enterprises with large SD-WAN deployments, FortiManager provides centralized management and automation at scale. FortiManager’s SD-WAN orchestrator allows administrators to:

• Deploy consistent SD-WAN configurations across hundreds or thousands of sites
• Monitor global SD-WAN health from a central dashboard
• Create and enforce SD-WAN policy templates
• Automate deployment of configuration changes network-wide

Example FortiManager SD-WAN template:

config template
    edit "SD-WAN-Branch-Template"
        set type "sdwan"
        config sdwan-member
            edit 1
                set interface "{{interface1}}"
                set gateway "{{gateway1}}"
                set source "{{source1}}"
                set cost 10
            next
            edit 2
                set interface "{{interface2}}"
                set gateway "{{gateway2}}"
                set source "{{source2}}"
                set cost 20
            next
        end
        config sdwan-health-check
            edit "Default-Ping"
                set server "8.8.8.8"
                set protocol ping
                set interval 1000
                set failtime 5
            next
        end
        config sdwan-service
            edit 1
                set name "Default-Route"
                set mode sla
                set dst "all"
                set src "all"
                set health-check "Default-Ping"
            next
        end
    next
end

This FortiManager template creates a standardized SD-WAN configuration that can be deployed to branch offices, with variables for interface names, gateway addresses, and source addresses. This approach ensures consistency while allowing for site-specific customization.

Performance Analysis and Troubleshooting FortiGate SD-WAN

Even with the most carefully designed SD-WAN deployment, performance issues can arise. FortiGate provides extensive tools for monitoring, analyzing, and troubleshooting SD-WAN performance.

SD-WAN Performance Monitoring

FortiGate devices collect detailed performance metrics for SD-WAN links, which can be viewed through the GUI, CLI, or exported to FortiAnalyzer for long-term analysis. Key metrics include:

• Link status and health check results
• Latency, jitter, and packet loss measurements
• Bandwidth utilization and session counts
• Application performance metrics
• SLA compliance statistics

CLI commands for SD-WAN monitoring:

# View SD-WAN status
diagnose sys sdwan health-check

# View SD-WAN service statistics
diagnose sys sdwan service

# View detailed interface statistics
diagnose sys virtual-wan-link interface

# Check SD-WAN rules matching
diagnose sys virtual-wan-link member

# Monitor bandwidth usage by SD-WAN member
diagnose netlink interface list sdwan

For more comprehensive analysis, FortiAnalyzer provides detailed SD-WAN performance dashboards and reports. FortiAnalyzer collects not only basic health metrics but also application-level performance data, allowing administrators to correlate SD-WAN behavior with application experience.

Common SD-WAN Issues and Solutions

Even in well-designed SD-WAN environments, several common issues can occur:

A systematic approach to troubleshooting SD-WAN issues involves:

1. Verify connectivity at the physical and link layers
2. Check SD-WAN health check status for each link
3. Verify application identification and policy matching
4. Analyze traffic flows and path selection decisions
5. Review security policy enforcement and its impact on SD-WAN

For complex cases, packet captures can be invaluable. FortiGate supports detailed packet capture with filtering:

# Capture traffic on an SD-WAN interface
diagnose sniffer packet wan1 "host 8.8.8.8" 4 0 a

# Capture SD-WAN health check packets
diagnose sniffer packet any "port 5246" 4

These captures can help identify issues with path selection, application detection, and traffic handling that might not be apparent from logs or status commands.

Optimization Strategies for Performance Tuning

After identifying performance issues, several optimization strategies can improve SD-WAN performance:

1. SLA Fine-Tuning: Adjust SLA thresholds based on actual observed performance and application requirements.
2. Path Steering Rules Refinement: Create more granular SD-WAN rules for specific applications or traffic patterns.
3. Protocol Optimization: Enable WAN optimization for specific protocols like CIFS or HTTP.
4. QoS Adjustment: Refine traffic shaping policies based on observed congestion patterns.
5. Security Profile Tuning: Balance security inspection depth with performance requirements.

Example of WAN optimization configuration for a specific application:

# Enable WAN optimization
config wanopt settings
    set status enable
end

# Configure WAN optimization profiles
config wanopt profile
    edit "file-sharing"
        set transparent enable
        config http
            set status enable
            set tunnel-sharing enable
            set log-traffic enable
            set port 80
        end
        config cifs
            set status enable
            set tunnel-sharing enable
            set log-traffic enable
            set port 445
        end
    next
end

# Apply WAN optimization to an SD-WAN policy
config firewall policy
    edit 20
        set name "File-Sharing-Optimization"
        set srcintf "internal"
        set dstintf "virtual-wan-link"
        set srcaddr "branch-network"
        set dstaddr "file-servers"
        set action accept
        set schedule "always"
        set service "CIFS" "HTTP"
        set wanopt enable
        set wanopt-profile "file-sharing"
        set wanopt-detection default
    next
end

This configuration enables protocol-specific optimizations for file sharing traffic, which can significantly improve performance over high-latency WAN links. The optimization works in conjunction with SD-WAN path selection, providing multiple layers of performance enhancement.

For sites with extremely limited bandwidth, additional techniques can be employed:

1. Local Internet Breakout: Route cloud and internet traffic directly to the internet rather than backhauling through central sites.
2. Local DNS Caching: Reduce DNS-related latency by caching responses locally.
3. Web Caching: Cache frequently accessed web content to reduce WAN utilization.
4. Application Proxying: Optimize specific applications with protocol-aware proxying.

These techniques can be particularly effective in remote locations with limited connectivity, ensuring that critical business applications remain responsive even with constrained WAN resources.

Frequently Asked Questions About FortiGate SD-WAN

References and Further Reading

• Fortinet SD-WAN Deployment Guide
• Fortinet Secure SD-WAN Product Information