© Copyright Fortinet Inc. All rights reserved.
Secure SD-WANAbgesichert sein in Zeiten, in denen das Internet das neue WAN ist14. Februar 2019Markus Frey / System Engineer
2
Agenda
Fortinet OverviewSD-WAN IntroductionWhy Fortinet Secure SD-WANNSS Labs SD-WANOverview Fortinet Secure SD-WANSD-WAN Use CasesDemo
Fortinet Overview
4
Fortinet: Global Network Security LeaderHighlights: 2000 - present
4,700+
EMPLOYEES WORLDWIDE
100+OFFICESACROSSTHE GLOBE
548PATENTSISSUED
4.2mSHIPPEDSECURITYDEVICES
375KCUSTOMERS
$1bnREVENUE
IN EXCESS OF
$1.46bnIN CASH
30%YEAR ON YEARGROWTH
2000FOUNDED IN
HEADQUARTERED INSUNNYVALECALIFORNIA
5
The Broadest Security Portfolio in the Industry Built From The Ground Up To Deliver True Integration End To End
Endpoint Security
FortiClient
Email Security
FortiMail
Web Application Security
FortiWeb
Management& Analytics
FortiSIEM
FortiAnalyzer
FortiManager
Advanced Threat Protection
FortiSandbox
SecureUnified Access
FortiSwitch
FortiAP
Multi-Cloud Security
FortiGateVirtual Firewall
FortiGateCloud Firewall
FortiCASB
FortiGateEnterprise Firewall
IPS
SWG
SD-WAN
VPN
NetworkSecurity
OpenEcosystem
Partner API
DevOps
Connectors
6
A Leader in Network Security
Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hills, Jeremy D'Hoinne, Rajpreet Kaur, 4 October 2018Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advice technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to its research, including any warranties of merchantability or fitness for a particular purpose.Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.©GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates, and is used herein with permission. All rights reserved.
Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls), Rajpreet Kaur & Claudio Neiva, 20 September 2018Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advice technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to its research, including any warranties of merchantability or fitness for a particular purpose.©GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates, and is used herein with permission. All rights reserved.
NSS Labs 3rd Party Validation
https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/Brochure-NSS-Lab-Independent-Validation.pdf
SDDC
SDN
SD-WAN
8
9
10
11
Route 1: 5,9 km, 14 Minuten, direkter Weg, Hauptstraßen, kleinere Verzögerungen
Route 2: 5,9 km, 18 Minuten, viele Kreuzungen,kleinere Straßen, eine größere Verzögerung
Route 3: 6,9 km, 20 Minuten, viele Kreuzungenkleinere Straßen, zwei größere Verzögerungen
12
Route 1: 5,9 km, 14 18 Minuten, direkter Weg, Hauptstraßen, zwei größere Verzögerungen
Route 2: 5,9 km, 18 14 Minuten, viele Kreuzungen,kleinere Straßen, keine größere Verzögerung
Route 3: 6,9 km, 20 22 Minuten, viele Kreuzungenkleinere Straßen, eine größere Verzögerungen
13
SD-WAN!
14
Enterprise Branch Going Through Evolution
70% Of customers mentioned existing WAN is brittle, slow, expensive and not effective for cloud adoption2 due to back-haul
62 Average number of cloud applications shows rapid growth of SaaS and IaaS3
DX Transformation Inefficient Traditional WAN Security is “MUST”
90% Of SD-WAN vendors do no provide security. With direct internet access, security becomes critical at every branch
Today’s Enterprise Branch WAN traffic is back-hauled to data-center which degrades SaaS Applications Performance
15
Today’s WAN is an obstacle for Digital Transformation
Branch
WAN
MPLS Data-Center
Internet
High WAN Cost No Visibility High Saas Latency
16
SD-WAN : Solves WAN Challenges with better ROI
Branch
WAN
Data-Center
Internet
Reduced WAN Cost Better Visibility Low Saas Latency
Legacy
SD-WAN
17
Security “MUST” not be an afterthought with SD-WAN
Branch
WAN
Data-Center
Internet
• Increasing need of NGFW security at Branch
• 90% SD-WAN vendors offer basic security
• SSL Inspection is critical with SaaS applications
Why Fortinet Secure SD-WAN
19
FortiGate Next Generation Firewalls with Integrated SD-WAN
+ + + + + + + +
SD-WAN
NGFW
Secure SD-WAN
Scalable and Easy to Deploy
SD-WAN App Control
IntrusionPrevention
Antivirus URL Filtering
Sandboxing SSL InspectionTraffic Shaping
VPN
SD-WAN requires direct internet access which requires better security at every branch
90% of the SD-WAN vendors only offer stateful firewalls which is not enough
Unprecedented Integration and visibility
20
Single Pane of Glass to Manage LAN and WAN Devices at the BranchUse Case: Consolidation of Branch Services
CHALLENGESMultiple management consolesComplex provisioning to bring up a new branch
SD- Branch
FortiGateSDWAN
FortiAPFortiSwitch
LAN
WANSecurityRouting SD-WAN
21
Access Management
WiFi Controller
Firewall
Management
Switching
Multi-vendor Layer Approach = Complexity
Complexity is the EnemyMultiple point solutionsMultiple platformsMultiple management consolesInconsistent policy and networkingVarying upgrade cycles
Slow and porous threat responseResources strained to maintainProne to configuration complexity
SD-WAN
22
Access Management
WiFi Controller
Firewall
Management
Switching
Fortinet’s security fabric = Simplicity
FortiGate Manages it allFortiLink» Switch ports are an extension of your
NGFWFortiLink wireless» SSIDs are an extension of your NGFW
No additional licenses
No new UI to learnSimple deploymentHarmonized configuration
FortiGate+
SDWAN+
Switch+
Access PointsSD-WAN
23
Only Fortinet delivers integrated Secure SD-WAN
Features SD-WAN Vendors Security Vendors Combinations Fortinet
SD-WAN
NGFW Security
Single Console
Cost
NSS Labs SD-WAN Group Test
25
NSS Labs SD-WAN - Industry’s First SD-WAN Group Test
26
Fortinet SD-WAN Receives “Recommendation” from NSS Labs
Highest QoE for VoIP
Best Total Cost of Ownership
Only Security Vendor to be Recommended
4.38 out of 4.41
$5@749 Mbps
Blocked 100% Evasions
Overview Fortinet Secure SD-WAN
28
Fortinet Secure SD-WAN Overview
FLEXIBLE
COMPREHENSIVESD-WAN NGFW SECURITY
3000+ Application Classification Automated WAN Path Control SaaS Applications SLA
Market Leader SSL Inspection Segmentation
SIMPLE
Centralized Controller Single Pane of Glass
NOC
SOCZero Touch Provisioning
FortiGate
FortiManager
3G/4G Broadband
NETWORKING
Automatic VPN provisioningDynamic RoutingWireless and Switch Integration
29
Performance SLA (For high priority applications)
Application-LevelTransaction
Latency < 200ms
Latency < 100ms AND
Packet Loss < 1%AND
Jitter < 30ms
MultipleMeasurement Techniques
Ping HTTPTCP Echo UDP EchoTWAMP
FailoverParameters
Check Interval
Success before restore
Failure before inactive
30
FortiOS SD-WANInterface Members
Enable or Disable the sd-wan virtual interface
Configure all Interfaces and Gateways members that will be used in SD-WANSupport physical, VLAN, IPSec, 3G/4G and FortiExtenderinterfaces
SD-WAN usage dashboard. Statistics only
31
FortiOS SD-WANPerformance SLA
Protocol: Use ping or http (twamp) to test the link with the serverServer: IP address or FQDN name of the server. If two servers are configured, both needs fail to link be detected as offlineParticipants: Interfaces members for this health-check
SLA Targets (optional). Used in SD-WAN Rule SLA Strategy
Status check interval, or the time between attempting to connect to the serverNumber of failures before server is considered lostNumber of successful responses received before server is considered recovered
Enable/disable updating the static routeWhen enabled and health-check fail, FortiOS will disable static routes for inactive interfaces
32
FortiOS SD-WANRules
SD-Wan rules are top down. The order is importantIf no rule match, the implicit rule will be usedEach rule is a “policy route” inside FortiOS
33
FortiOS SD-WANTraffic Shaping
SD-WAN interface available as Traffic Shaping outgoing interface
Traffic ShapingL7 Analysis for QoS rules based on Users, Apps, URLs…Use App Classification to control, bandwidth reservation, limitation, Diffservmarking and prioritization
34
FortiManager SD-WANFeature Support
SD-WAN Central Template» You can centrally provision SD-WAN templates by specifying SD-WAN interface
members, WAN link performance criteria, and application routing priority
SD-WAN Monitoring» Map View displays SD-WAN enabled devices on Google Map with color coded
icons. Mouse over to view health performance statistics for each SD-WAN link member
» Table View provides more granular information on each SD-WAN link member such as link status, applications performance and their bandwidth usage
35
FortiManager SD-WANSD-WAN Centralized Management (per Device or Template based)
36
FortiManager SD-WANSD-WAN Monitor
SD-WAN Monitors are imported from FortiGate, so it will work even without
SD-WAN Template
In the Google Maps you can select the device and it shows all Health-Checks
Monitor show the actual status of the Health-Checks. If the value is above SLA target, this is marked as red in the graph
Zero Touch Provisioning
38
Order the FortiGates along with a FortiDeploy SKUFortinet registers your devices in FortiCloudAssign FortiManager IP to registered devicesProvision your devices in FortiManagerDeployed device will get its full configuration from FortiManagerDeployed device will fetch its management details from FortiCloud
FortiOS SD-WANZero Touch Provisioning with FortiDeploy
Customer
FortiCloudFortiCloudFortiManager FortiGate
Fortinet
SD-WAN Use Cases
40
Branch
Primary IPSec VPN
Secondary IPSec VPN
Public Cloud
Private Cloud
Critical Apps (Voice & Video)Redirected to a new tunnel when/if the primary WAN conditions are too bad
Direct secure access to Internet, SaaS and IaaS contentLoad balanced if needed.
Business Apps Load balanced across different lines so bandwidth is optimized.
Critical Apps (Voice & Video) Best path is chosen depending on latency, jitter & packet loss.
Internet
Latency = 25 msJitter = 1 msPacket Loss = 0 %BW = 200 Mbps
Latency = 30 msJitter = 2 msPacket Loss = 2 %BW = 200 Mbps
Latency = 20 msJitter = 1 msPacket Loss = 0 %BW = 200 Mbps
Enterprise SD-WAN Use Cases
41
Enterprise SD-WAN Use CasesInternet SaaS – Application Aware + Path Awareness Intelligence
InternetISP-B
InternetISP-A
Critical Apps Best path is chosen depending on latency, jitter & packet loss
Critical Apps Redirected to a new link in case the WAN conditions are better than the
threshold
Office
Not Business AppLess priority. QoS
42
Enterprise SD-WAN Use CasesMPLS backup with local breakout
MPLS
Branch
HQ
MPLS DependencyInflexible, expensive, good
QoS
Critical Apps & Secure access Redundant path through IPSec
VPN
Direct secure access to Internet, SaaS and IaaS contentNGFW + SSL Inspection
Internet
Demo
44
Demo Topolgy
45
VIELEN DANK!