SASE
➔SD-WAN+SSE
�Table des matières
I. Introduction to SD-WAN .............................................................................. Erreur ! Signet non défini.
What is SD-WAN? .................................................................................................................................. 2
SD-WAN use Cases................................................................................................................................ 3
I. DEPLOYMENT
Traditional architecture and challenges of Work-from-Anywhere
SD-WAN provides dynamic, policy-based, application path selection across multiple WAN connections
Note that SD-WAN controls egress traffic, not ingress traffic.
�Benefits:
- Effective WAN usage:
You can use public links (broadband, LTE) and private links (MPLS) to securely steer traffic to different
destinations: internet, public cloud, private cloud, and the corporate network.
Hybrid WAN reduces costs → Mainly because administrators usually steer traffic over low-cost fast
internet links more than over high-cost slow private links which are often used for critical traffic only (or
failover links).
- Improved application performance:
You can steer traffic through the best link that meets the application requirements.
Also, the support of ADVPN shortcuts results in lower latency for traffic between the sites (spokes), and
less load on the central locations (hubs).
SD-WAN use Cases
1. Direct Internet access (DIA)
DIA also known as local breakout, is arguably the most common use case for SDWAN.
A site has multiple physical internet links (underlay links), and the administrator wants FortiGate to steer internet
traffic across the links.
Usually, sensitive traffic is expedited and steered over the best performing links, while non-critical traffic is
distributed across one or more links using a best effort approach.
Costly internet links are commonly used as backup links, or to steer critical traffic only.
�Because the internet traffic leaves the organization boundaries directly on the local site, administrators usually
enforce strict security policies on the internet traffic
2. Site-To-Site Traffic
You can use SD-WAN to steer corporate site-to-site traffic. Usually, companies follow a hub-and-spoke
topology, and use VPN tunnels—typically dial-up IPsec tunnels—to transport the traffic between the sites. The
tunnels (overlay links) are established over internet and MPLS links (underlay links).
Tunnels can also carry internet traffic from a spoke to a hub, where it then breaks out to the internet. This is also
known as remote internet access (RIA).
If using ADVPN, you should apply all necessary security inspection on the local site because spoke-to-spoke
traffic will eventually flow directly through the shortcut and will therefore bypass any inspection enabled on the
hub. If not using ADVPN, you may consider applying a less restrictive policy on the spoke provided you
configure the hub to perform the additional required inspection.
Each site has two overlays configured, one using the internet underlay and the other the MPLS underlay. SDWAN
steers spoke-to-spoke and spoke-to-hub traffic.
3. Remote Internet Access (RIA)
RIA, also known as remote breakout, is another use case for SD-WAN. Internet traffic from the spokes is
backhauled through the WAN using overlay links. When the traffic arrives the hub, it breaks out to the internet.
The most common reason to use RIA is to centralize security inspection and internet access on the hub.
Another reason to use RIA is for DIA backup. For example, you could configure FortiGate to steer internet traffic
through an MPLS link if the performance measured for internet applications on internet links is worse than on
MPLS links, or simply if the internet links become unavailable.
�Instead of using the local internet underlay to forward internet traffic, the FortiGate device on site 1 steers
internet traffic to the hub through the overlay built over MPLS. Once the traffic reaches the hub, the traffic is
subject to a thorough security inspection before it breaks out to the internet.
4. Cloud on-Ramp
To improve performance of cloud applications while keeping network traffic secure, you can configure overlays
against the closest point of presence (PoP) offered by the cloud provider in the area, thus reducing latency. You
can configure FortiGate to connect to the cloud provider’s built-in VPN gateway. Alternatively, you can deploy a
FortiGate VM in the cloud and establish the overlays against it.
