The Network

Leader’s Guide to
Secure SD-WAN
Security-driven Networking Delivers
Comprehensive WAN Edge
Table of Contents

Executive Overview 3

Introduction 4

Which Way to SD-WAN? 6

Fortinet Delivers Best-of-Breed SD-WAN 7

Security-driven Networking 14

In a Volatile SD-WAN Market, Fortinet Is the Safe Bet 15

Executive Overview
Digital innovation, such as cloud on-ramping of Software-as-a-Service (SaaS) applications and Infrastructure-as-a-Service
(IaaS), is helping to propel revenues and efficiencies for distributed businesses. However, the increased traffic demands
of these technologies greatly increase the cost and performance bottlenecks of multiprotocol label switching (MPLS)
connectivity over traditional wide area network (WAN) infrastructures. Most network engineering and operations leaders,
as a result, are now looking to replace their outdated WAN infrastructures with some form of software-defined wide area
networking (SD-WAN). Tens of thousands of customers are choosing FortiGate Secure SD-WAN, which delivers both
networking and security capabilities in a unified solution. It supports application performance, consolidated management,
and advanced protection against threats.

3
Introduction
While selecting the right SD-WAN solution for a specific implementation may require a few compromises, security
should not be one of them. There are several options for combining SD-WAN networking and advanced security—but
only one solution can truly be called Secure SD-WAN. Fortinet, the most trusted name in network security, has added
best-of-breed SD-WAN capabilities to its industry-leading FortiGate next-generation firewalls (NGFWs). FortiGate
NGFWs featuring Secure SD-WAN provide optimal performance for business-critical Software-as-a-Service (SaaS)
applications as well as digital voice and video tools. At the same time, they help protect organizations against the
latest risk exposures and evolving sophisticated attacks.

4
IDC predicts that worldwide
SD-WAN infrastructure and services
revenue will see a compound annual
growth rate (CAGR) of over 40% to
reach $4.5 billion by 2022.1

5
Which Way to SD-WAN? in combination with SD-WAN to address security issues,
as branches are directly exposed to the internet via
SD-WAN offers the ability to use available WAN services broadband connections with SD-WAN. To address
more effectively and economically—giving users across these business requirements, organizations need a
distributed organizations the freedom to better engage comprehensive SD-WAN offering—FortiGate Secure
customers, optimize business processes, and innovate. SD-WAN, the only one with built-in security and the
It also makes WAN management more cost-effective, performance capabilities an SD-WAN deployment requires.
which is why SD-WAN solutions will continue to be a
robust growth market for the foreseeable future.

To answer this demand, there have been many SD-WAN

solutions introduced in the last few years. But not all of
them are created equal.

SD-WAN experts and industry analysts say that the

optimal SD-WAN for an enterprise depends on the
organization’s application performance requirements,
security priorities, and IT skill sets. It is also widely
recommended that companies use an NGFW solution

6
Fortinet Delivers Best-of-Breed SD-WAN
FortiGate Secure SD-WAN replaces separate WAN Application Awareness for Improved Service Levels
routers, WAN optimization, and security devices such
as firewalls and secure web gateways (SWGs) with a FortiGate Secure SD-WAN is powered by the new SOC4
single FortiGate NGFW. This provides industry-best application-specific integrated circuit (ASIC), which provides
faster application steering and unrivaled application identification
performance with capabilities that include application
performance). This includes deep secure sockets layer (SSL)/
awareness, automated path intelligence, and WAN
transport layer security (TLS) inspection with the lowest possible
overlay support for VPN. FortiGate Secure SD-WAN performance degradation. Encryption inspection capabilities
delivers security-driven networking for branch networks also include the ability to inspect the packet in order for
with outstanding performance enabled by fast application the SD-WAN solution to correctly route the traffic.
identification and automated path intelligence.
Technically, SD-WAN works by routing applications
over the most efficient WAN connection at any point in
time. To ensure optimal application performance, SD-
FortiGate Secure SD-WAN Delivers: WAN solutions must be able to identify a broad range of
§§Fast application identification applications and apply routing policies at a very granular
level. Without these capabilities, SaaS applications, video,
§§Enhanced application accuracy and performance
and voice can slow and impede end-user productivity.
§§Application database updates from FortiGuard
Labs research To address these issues, FortiGate Secure SD-WAN uses
an application control database with the signatures of more
than 5,000 applications (plus regular updates from FortiGuard
Labs threat intelligence services). FortiGate Secure SD-WAN
identifies and classifies applications—even encrypted
cloud application traffic—from the very first packet.

7
FortiGate Secure SD-WAN
automatically recognizes and
optimally routes over 5,000
applications.

8
FortiGate NGFWs can be set to recognize applications When it comes to WAN efficiencies, key capabilities in
by business criticality. Business-critical applications FortiGate Secure SD-WAN include:
(e.g., Office 365, Salesforce, SAP), general productivity
applications (e.g., Dropbox), and social media (e.g., Automated path intelligence. Application awareness

Twitter, Instagram) can be given different routing priorities. enables prioritized application routing across network

Unique policies can be applied at a deeper level for sub- bandwidth based on the specific application and user.

applications (e.g., Word or OneNote within Office 365). The new SOC4 ASIC gives FortiGate Secure SD-WAN

This deep and broad application-level visibility into traffic the fastest application steering in the industry. SD-WAN

patterns and utilization offers a better position to allocate service-level agreements (SLAs) are easily defined by

WAN resources according to business needs. dynamically selecting the best WAN connection for the
specific business circumstances. For low- to medium-
Effortless WAN Efficiency priority applications, organizations can specify the quality
criteria, and the FortiGate will select the corresponding
FortiGate Secure SD-WAN greatly simplifies the process link. For high-priority and business-critical applications,
of transforming legacy WAN edge infrastructures to organizations can define strict SLAs based on a
provide enhanced application performance, a better user combination of jitter, packet loss, and latency metrics
experience, and improved security. Once WAN policies
are set based on application criticality, performance WAN overlay. Responsive overlay VPN capabilities
requirements, security policies, and other considerations, enable a better overall WAN experience for branch users.
the FortiGate Secure SD-WAN solution takes over Cloud overlay controller orchestration, powered by
from there. FortiGate NGFWs featuring the SOC4 ASIC 360 Protection Bundle subscription services, simplifies
deliver 10 times faster security performance than the overlay VPN deployment with cloud-based automated
competition.2 provisioning.

9
Automatic failover. Multi-path technology can Tunnel bandwidth aggregation. For applications that
automatically fail over to the best available link when the require greater bandwidth, FortiGate Secure SD-WAN
primary WAN path degrades. This automation is built into enables per-packet load balancing and delivery by combining
the FortiGate NGFW, which reduces complexity for end- two overlay tunnels to maximize network capacity.
users while improving their experience and productivity.
Simplified Management and Industry-Best TCO
WAN path remediation. WAN path remediation utilizes
Network engineering and operations leaders are often
forward error correction (FEC) to overcome adverse WAN
in a quandary when it comes to deploying SD-WAN
conditions such as poor or noisy links. This enhances
edge devices to their numerous remote sites and branch
data reliability and delivers a better user experience for
offices. Truck rolls are expensive, and technical staff is
applications like voice and video services. FEC adds
often limited. On the other hand, shipping fully configured
error correction data to the outbound traffic, allowing
devices is not secure. Also, once edge devices are
the receiving end to recover from packet loss and other
deployed, staff must manage both the WAN optimization
errors that occur during transmission. This improves the
functions and security functions, often from two different
quality of real-time applications.
interfaces. FortiGate Secure SD-WAN solves both
deployment and the management problems to reduce
total cost of ownership (TCO).

10
In NSS Labs’ 2019 SD-WAN Group
Test Results, FortiGate Secure
SD-WAN received a second straight
“Recommended” rating—earning
the lowest total cost of ownership
(TCO) rating and highlighting its
quick zero-touch provisioning
for efficient operations. 3

11
Zero-touch deployment. FortiGate Secure SD-WAN’s For users who need secure communications over the
simplified deployment capabilities allow enterprises to public internet links, VPNs can be set up with just
ship unconfigured FortiGate NGFW appliances to each one click. All this saves time and simplifies SD-WAN
remote site. When plugged in, the FortiGate automatically administration (on-premises or via the cloud), alleviating
connects to the FortiDeploy service in FortiCloud. Within pressure on lean network teams. Fortinet offers one of
seconds, FortiDeploy authenticates the remote device the only solutions that can manage SD-WAN networking,
and connects it to a central FortiManager system. security, and access layer controls from the same
management console.
Single-pane-of-glass management. FortiManager
enables centralized visibility of all deployed Secure TCO. FortiGate Secure SD-WAN delivers industry-leading
SD-WAN-enabled FortiGate NGFWs across the TCO per Mbps—along with zero-touch provisioning of
distributed organization. Highly intuitive visualizations new branches under six minutes.4 The move to public
make it easy to monitor both the physical and logical broadband means that expensive MPLS connections
network topologies at a high level and drill down when can be replaced with more cost-effective options. With
needed to investigate any issues. Administrators can the Fortinet transport-agnostic solution, enterprises
update and disseminate corporate WAN policies to all can utilize the entire available bandwidth by using the
locations or reconfigure individual devices. connections in active-active mode.

12
For the second year in a row,
FortiGate Secure SD-WAN delivers
industry-best TCO, according to
NSS Labs testing.5

13
Security-driven Networking §§High WAN performance for cloud applications,
featuring exceptional VPN overlay performance for
Fortinet enables best-of-breed, certified SD-WAN that is superior user experience and low latency7
both high-performance and protected. FortiGate NGFWs
Secure SD-WAN-enabled FortiGate NGFWs also monitor
featuring the SOC4 ASIC deliver the fastest SD-WAN security
firewall rules and policies and highlight best practices to
performance in the industry. In NSS Labs’ 2019 “Software-
Defined Wide Area Networking Test Report,” Fortinet improve the organization’s overall security posture. This
helps to simplify compliance with security standards as
received a second straight “Recommended” rating.6
well as privacy laws and industry regulations. Automated
Specifically, FortiGate Secure SD-WAN has robust auditing and reporting workflows save staff hours while
SD-WAN threat protection, including Layer 3 through reducing the risk of omissions and errors.
Layer 7security controls not commonly found in other
SD-WAN-plus-firewall solutions: Enabling the SD-Branch
§§Complete threat protection, including firewall, antivirus,
Many enterprise branches are deciding to simultaneously
intrusion prevention system (IPS), and application control replace both their WAN and LAN devices in favor of a
§§High-throughput secure sockets layer (SSL)/transport solution with deeper integration and simplified branch
layer security (TLS) deep-packet encryption inspection operations management. Using separate WAN and
with minimal performance degradation, ensuring that LAN infrastructures increases branch complexity; there
are more devices to deploy and update with multiple
organizations do not sacrifice throughput for complete
management consoles. It also reduces visibility and
threat protection
control of operations while increasing the opportunities
§§Web filtering to enforce internet security without requiring for security gaps that hackers can exploit. To solve
a separate secure web gateway (SWG) device these challenges, FortiGate Secure SD-WAN includes an
accelerated security extension to the access layer that
enables SD-Branch transformation.

14
In a Volatile SD-WAN Market, Fortinet Is the Safe Bet
As cloud-based applications and tools like voice and video become increasingly critical to distributed businesses, FortiGate
Secure SD-WAN can help organizations embrace the benefits of digital innovation without bottlenecking application
performance, impacting end-user productivity, or putting data at risk.

FortiGate Secure SD-WAN is scalable, helping organizations confidently support more remote sites, more bandwidth-
sensitive, business-critical applications, more cloud services, and whatever else the branch network requires.

FortiGate Secure SD-WAN has been adopted worldwide in wide-ranging industries—from finance, to retail, to
manufacturing, to customer service. Whether they need to support a few hundred mobile endpoints or tens of thousands
of branch offices, FortiGate Secure SD-WAN customers are each achieving their own optimal mix of best-of-breed security
and SD-WAN functionality.

15
1
“SD-WAN Infrastructure Market Poised to Reach $4.5 Billion in 2022,” IDC, August 8, 2018.

2
Based on internal testing by Fortinet.

3
“Fortinet Receives Second Consecutive NSS Labs Recommended Rating in SD-WAN Group Test Report,” Fortinet, June 19, 2019.

4
Ibid.

5
Ibid.

6
Ibid.

7
Ibid.

16
 [Link]

Copyright © 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the
identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in
the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the
publication shall be applicable.

372656-0-0-EN
October 3, 2019 5:21 AM
eb-the-network-leaders-guide-to-secure-sd-wan-v2.1