Fortinet SD-WAN


Long-time cybersecurity vendor, Fortinet, has introduced Secure SD-WAN, an SD-WAN appliance with built-in security. We recently had the opportunity to chat with the Fortinet team about the solution and here are some of the insights we gained.

Secure SD-WAN comes in a range of form factors from the FortiGate/FortiWiFi 30E  at the low end (35 Mbits/s VPN throughput) to the FortiGate 300E at the high end (20 Gbits/s VPN throughput). Virtual appliances are also available.  The SD-WAN capabilities are provided in a software upgrade, version 6.2 of Fortigate, and at no cost to existing Fortinet customers.

The solution doesn’t seem to be as integrated as other SD-WANs and requires buying into the Fortinet environment. Thus adopting Fortinet’s Secure SD-WAN involves deploying a range of additional Fortinet solutions:

    • FortiDeploy is needed to configure and deploy the SD-WAN
    • FortiManager manages up to 100,000 Fortinet devices
    • FortiGate is the actual NGFW and SD-WAN CPE

There are also several additional security, SIEM, and authentication platforms. The presence of a complete solution is in principle a “good” thing, I believe for most organizations. There will be those that prefer to mix-and-match third-party products or consider a secure SD-WAN that was built with SD-WAN in mind, right from the start.

Security and SD-WAN Together

Secure SD-WAN is part of the growing trend of solutions that integrate security and SD-WAN. Like other SD-WAN appliances, Fortinet Secure SD-WAN is transport agnostic. It uses the Internet (or any other available transport) to construct the SD-WAN.

In terms of networking, Fortinet provides the usual suite of SD-WAN features including active/active for utilizing all capacity of multiple Internet connections, application awareness, traffic steering, and zero-touch provisioning. In addition, Fortinet has included advanced capabilities, such as forward error correction (FEC) to compensate for packet loss and WAN optimization capabilities to improve throughput.

On the security front, Fortinet’s Secure SD-WAN solution also includes a next-generation firewall (NGFW) for security. Users can establish secure VPN overlays between sites. With Fortinet’s Secure SD-WAN solution, customers also get threat protection and threat detection capabilities, as well as IPS, web filtering, sandboxing and SSL inspection. Because Fortinet delivers SD-WAN in its FortiGate Next-Generation Firewalls, existing customers can simply upgrade their software and get a complete SD-WAN stack right at their branch within minutes. Management for both network and security is through a  single-pane-of-glass. However, for customers that do not have Fortinet in place already, installing their platform for SD-WAN is quite a bit more complex than companies that offer platforms that were built as SD-WAN from the start.

Performance is Key

Traditionally, one of the major problems of running networking and security in a single appliance has been the performance impact. As traffic levels grow, more CPU cycles are needed to inspect and, with encrypted traffic, decrypt the traffic. The result is that all too often organizations need to upgrade appliances or inspect less traffic.

Fortinet says it’s addressed this problem with the industry’s first SD-WAN ASIC.  The company’s SOC4 application-specific integrated circuit (ASIC) enables what Fortinet claims is the fastest application steering in the industry. This includes SSL/TLS inspection with “the lowest” possible performance degradation. Additional related features include WAN path remediation, tunnel bandwidth aggregation, and automatic failover capabilities. Note: SASE Experts has not yet tested the SOC4 to verify these claims.

With the SOC4, Fortinet can deliver fast SD-WAN security performance. This includes acceleration for responsive overlay VPN and a better overall WAN user experience across the enterprise. Fortinet claims that its cloud overlay controller orchestration, powered by the company’s 360 Protection Bundle subscription service, simplifies overlay VPN deployment with cloud-based automated provisioning.

Fortinet Secure SD-WAN uses “first-packet identification” to intelligently identify applications on the very first packet of data traffic. It’s a claim similar to what we’ve seen from other vendors, most notably Silver Peak. The broad application awareness helps network teams see which applications are being used across the enterprise, enabling them to make well-informed decisions regarding SD-WAN policies. Fortinet claims its Secure SD-WAN references an application control database of over 5,000 applications, a number that grows as both the threat landscape and digital network evolve.

Being application aware opens the doors to automated path intelligence—prioritizing routing across network bandwidth based on the specific application and user. Offering a per-application level SLA, Fortinet Secure SD-WAN automated path intelligence dynamically selects the best WAN link/connection for the situation.

The Bottom Line

We’re excited to see Fortinet enter into the SD-WAN space. The integration of security and SD-WAN is critical and having the security expertise of a leader, like Fortinet, is no doubt a plus. Requiring a broad Fortinet infrastructure is something to keep in mind when evaluating their SD-WAN solution. As mentioned, SD-WAN functionality is offered in version 6.2, which has not been on the market long enough to have enough time to prove itself in the market. But for companies with Fortinet firewalls already in place, or considering Fortinet as a security platform, their SD-WAN makes them worth considering in your evaluation process.

Additional Information

For additional information related to Fortinet SD-WAN, check out the following:

Fortinet’s site is here:

Return to the SD-WAN Buyers Guide.