Fortinet has integrated SD-WAN into their leading NGFW platform (FortiGate) since 2015. Since then it has grown into a leading SD-WAN solution recognized by Gartner and others. I especially like the flexibility it offers to customers. No matter if you have just a single site with multiple internet links or 1000 sites around the globe with different setups – this is the tool to build a solution that fits your needs.

Many customers are looking into replacing their expensive MPLS networks with a cost effective SD-WAN solution. In this blog post I would like to show the basics on how to build a large scale SD-WAN topology with Fortinet. The focus is on automation and zero touch deployment. Because if you have 1000 sites, doing it manually is not really feasible.

Please note: The following is not a complete tutorial but it shows the concepts which you can use.


The topology

Our example topology consists of two regions (EMEA / APAC) which are served by a single hub (multiple hubs per region would work as well). The spokes (branches) are connecting to their local hub with multiple VPN tunnels. In this example “Spoke1” is connected to “Hub1” with two different internet links. “Spoke2” also has two links and an additional 5G connection available. In the regions we are using an AD-VPN (Auto-Discovery VPN) setup. This means we basically have a hub-and-spoke topology, but if spokes start talking to each other via the hub, the hub sends a shortcut message to the spokes. The spokes dynamically start a new temporary VPN connection between them. Traffic between the regions are routed over the VPN tunnels between the hubs. Internet traffic is handled by the spokes and not routed over the hubs. Obviously the topology heavily depends on the customer and is defined in the concept phase of the project.

Large Scale Automated SD-WAN with Fortinet

Using scripts and templates

The whole setup in defined and configured in the FortiManager which is used as central management for the whole environment. To make everything automated and flexible, we are using templates and scripts. These templates and scripts are grouped together for specific devices. For instance, we have a group for devices with two internet links and another group for devices with two internet links and an additional 5G connection. Usually in large projects we would define multiple profiles (e.g. Bronze / Silver / Gold). Different locations will get different profiles, but the setup is then standardized to keep the operational overhead small.

To configure everything, we will use the following templates in the FortiManager:

System Templates

  • used to configure basic system settings (e.g. DNS or NTP settings).

Certificate Templates

  • used to automatically generate certificates for the devices which are used for the VPN authentication.

Static Route Templates

  • used to configure the necessary static routes. In our case a default route which points to the SD-WAN policy.

SD-WAN Templates

  • used to configure the traffic rules and SLA monitoring of the available paths.

CLI Templates

  • used to configure everything which we did not handle in a template. In our case this would contain the interface and BGP configuration. For BGP we could also use a BGP template, but I decided to do it in the CLI script.
  • We are using Jinja scripts, which were introduced in version 7.0.1, because they are more flexible and easier to read than the legacy TCL scripts.
  • In the scripts we are using variables which we are reading from the device meta fields configured in the Manager. So we can use a generic script for all of the devices.

 

An example of a Jinja script would be:

config system interface
  {% for i in project.profiles[profile].interfaces %}
  edit "{{i.name}}"
    {% if i.ip == 'dhcp' %}
    set mode dhcp
    {%  elif i.ip %}
    set mode static
    set ip {{ i.ip }}
    {% endif %}
    {# Add shaping profile and in/outbandwidth only if interface is of type wan and meta fields are both defined #}
    {% if i.role == 'wan' and i.outbandwidth is defined %}
    set estimated-upstream-bandwidth {{ i.outbandwidth }}
        {% if i.shaping_profile is defined %}
             set outbandwidth {{ i.outbandwidth }}
             set egress-shaping-profile {{ i.shaping_profile }}
        {% endif %}
    {% endif %}
    {% if i.role == 'wan' and i.inbandwidth is defined %}
    set estimated-downstream-bandwidth {{ i.inbandwidth }}
        {% if i.shaping_profile is defined %}
            set inbandwidth {{ i.inbandwidth }}
            set ingress-shaping-profile {{ i.shaping_profile }}
        {% endif %}
    {% endif %}
    set allowaccess ping
  next
  {% endfor %}
end

This would automatically configure all of the interfaces on the device depending on our profiles and meta fields set on the device in the FortiManager.


Zero Touch Provisioning (ZTP)

If you want to deploy a large amount of sites, you probably do not want to do it manually or prepare the devices beforehand. Therefore, we are using zero touch provisioning to automate the process. There are various options to do that. The easiest for our setup is probably the ZTP cloud from Fortinet. You can register the serial number of your FortiGate device and assign it to a FortiManager (IP / FQDN). If the device boots up and has no configuration yet, it will connect to the ZTP cloud and fetches its FortiManager. Then it connects to the FortiManager and tries to register.

Before or when the device gets shipped to the location, you register a so called model device in the FortiManager. That model device you put in the correct groups, according to its profile, and configure the meta fields which are used in our scripts to configure everything.

As soon as the device gets online and connects to the FortiManager, the FortiManager is pushing the device configuration to the device. Also the policies are written down to the device. After a few minutes the device is ready and starts to work. The new location is integrated automatically into your SD-WAN.

The same process is used to replace failed devices.


Benefits of Fortinet SD-WAN

Some of the benefits of using the SD-WAN from Fortinet:

  • SD-WAN built on top of the leading NGFW solution (not the other way around)
  • Use SD-WAN and NGFW on the same hardware so you have to buy and deploy less devices
  • Very flexible solution, adapt it to your needs. You define the design and not the vendor.
  • “license free” with FortiGate devices. If you already have FortiGates in place, you can just start using SD-WAN for free.

If you are interested in more details, please get in touch. We can also show you the whole setup and environment in a live demo.



The_Unicorn

The_Unicorn ist Principal Security Engineer bei AVANTEC. Die Lösungen von Check Point, Fortinet und Vectra haben es ihm besonders angetan. The_Unicorn hat Informatik studiert. Seine Leidenschaft neben IT-Security ist Fussball.

Privacy Preference Center