© Copyright Fortinet Inc. All rights reserved.

Secure SD-WANAbgesichert sein in Zeiten, in denen das Internet das neue WAN ist14. Februar 2019Markus Frey / System Engineer

2

Agenda

Fortinet OverviewSD-WAN IntroductionWhy Fortinet Secure SD-WANNSS Labs SD-WANOverview Fortinet Secure SD-WANSD-WAN Use CasesDemo

Fortinet Overview

4

Fortinet: Global Network Security LeaderHighlights: 2000 - present

4,700+

EMPLOYEES WORLDWIDE

100+OFFICESACROSSTHE GLOBE

548PATENTSISSUED

4.2mSHIPPEDSECURITYDEVICES

375KCUSTOMERS

$1bnREVENUE

IN EXCESS OF

$1.46bnIN CASH

30%YEAR ON YEARGROWTH

2000FOUNDED IN

HEADQUARTERED INSUNNYVALECALIFORNIA

5

The Broadest Security Portfolio in the Industry Built From The Ground Up To Deliver True Integration End To End

Endpoint Security

FortiClient

Email Security

FortiMail

Web Application Security

FortiWeb

Management& Analytics

FortiSIEM

FortiAnalyzer

FortiManager

Advanced Threat Protection

FortiSandbox

SecureUnified Access

FortiSwitch

FortiAP

Multi-Cloud Security

FortiGateVirtual Firewall

FortiGateCloud Firewall

FortiCASB

FortiGateEnterprise Firewall

IPS

SWG

SD-WAN

VPN

NetworkSecurity

OpenEcosystem

Partner API

DevOps

Connectors

6

A Leader in Network Security

Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hills, Jeremy D'Hoinne, Rajpreet Kaur, 4 October 2018Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advice technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to its research, including any warranties of merchantability or fitness for a particular purpose.Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.©GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates, and is used herein with permission. All rights reserved.

Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls), Rajpreet Kaur & Claudio Neiva, 20 September 2018Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advice technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to its research, including any warranties of merchantability or fitness for a particular purpose.©GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates, and is used herein with permission. All rights reserved.

NSS Labs 3rd Party Validation

https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/Brochure-NSS-Lab-Independent-Validation.pdf

SDDC

SDN

SD-WAN

8

9

10

11

Route 1: 5,9 km, 14 Minuten, direkter Weg, Hauptstraßen, kleinere Verzögerungen

Route 2: 5,9 km, 18 Minuten, viele Kreuzungen,kleinere Straßen, eine größere Verzögerung

Route 3: 6,9 km, 20 Minuten, viele Kreuzungenkleinere Straßen, zwei größere Verzögerungen

12

Route 1: 5,9 km, 14 18 Minuten, direkter Weg, Hauptstraßen, zwei größere Verzögerungen

Route 2: 5,9 km, 18 14 Minuten, viele Kreuzungen,kleinere Straßen, keine größere Verzögerung

Route 3: 6,9 km, 20 22 Minuten, viele Kreuzungenkleinere Straßen, eine größere Verzögerungen

13

SD-WAN!

14

Enterprise Branch Going Through Evolution

70% Of customers mentioned existing WAN is brittle, slow, expensive and not effective for cloud adoption2 due to back-haul

62 Average number of cloud applications shows rapid growth of SaaS and IaaS3

DX Transformation Inefficient Traditional WAN Security is “MUST”

90% Of SD-WAN vendors do no provide security. With direct internet access, security becomes critical at every branch

Today’s Enterprise Branch WAN traffic is back-hauled to data-center which degrades SaaS Applications Performance

15

Today’s WAN is an obstacle for Digital Transformation

Branch

WAN

MPLS Data-Center

Internet

High WAN Cost No Visibility High Saas Latency

16

SD-WAN : Solves WAN Challenges with better ROI

Branch

WAN

Data-Center

Internet

Reduced WAN Cost Better Visibility Low Saas Latency

Legacy

SD-WAN

17

Security “MUST” not be an afterthought with SD-WAN

Branch

WAN

Data-Center

Internet

• Increasing need of NGFW security at Branch

• 90% SD-WAN vendors offer basic security

• SSL Inspection is critical with SaaS applications

Why Fortinet Secure SD-WAN

19

FortiGate Next Generation Firewalls with Integrated SD-WAN

+ + + + + + + +

SD-WAN

NGFW

Secure SD-WAN

Scalable and Easy to Deploy

SD-WAN App Control

IntrusionPrevention

Antivirus URL Filtering

Sandboxing SSL InspectionTraffic Shaping

VPN

SD-WAN requires direct internet access which requires better security at every branch

90% of the SD-WAN vendors only offer stateful firewalls which is not enough

Unprecedented Integration and visibility

20

Single Pane of Glass to Manage LAN and WAN Devices at the BranchUse Case: Consolidation of Branch Services

CHALLENGESMultiple management consolesComplex provisioning to bring up a new branch

SD- Branch

FortiGateSDWAN

FortiAPFortiSwitch

LAN

WANSecurityRouting SD-WAN

21

Access Management

WiFi Controller

Firewall

Management

Switching

Multi-vendor Layer Approach = Complexity

Complexity is the EnemyMultiple point solutionsMultiple platformsMultiple management consolesInconsistent policy and networkingVarying upgrade cycles

Slow and porous threat responseResources strained to maintainProne to configuration complexity

SD-WAN

22

Access Management

WiFi Controller

Firewall

Management

Switching

Fortinet’s security fabric = Simplicity

FortiGate Manages it allFortiLink» Switch ports are an extension of your

NGFWFortiLink wireless» SSIDs are an extension of your NGFW

No additional licenses

No new UI to learnSimple deploymentHarmonized configuration

FortiGate+

SDWAN+

Switch+

Access PointsSD-WAN

23

Only Fortinet delivers integrated Secure SD-WAN

Features SD-WAN Vendors Security Vendors Combinations Fortinet

SD-WAN

NGFW Security

Single Console

Cost

NSS Labs SD-WAN Group Test

25

NSS Labs SD-WAN - Industry’s First SD-WAN Group Test

26

Fortinet SD-WAN Receives “Recommendation” from NSS Labs

Highest QoE for VoIP

Best Total Cost of Ownership

Only Security Vendor to be Recommended

4.38 out of 4.41

$5@749 Mbps

Blocked 100% Evasions

Overview Fortinet Secure SD-WAN

28

Fortinet Secure SD-WAN Overview

FLEXIBLE

COMPREHENSIVESD-WAN NGFW SECURITY

3000+ Application Classification Automated WAN Path Control SaaS Applications SLA

Market Leader SSL Inspection Segmentation

SIMPLE

Centralized Controller Single Pane of Glass

NOC

SOCZero Touch Provisioning

FortiGate

FortiManager

3G/4G Broadband

NETWORKING

Automatic VPN provisioningDynamic RoutingWireless and Switch Integration

29

Performance SLA (For high priority applications)

Application-LevelTransaction

Latency < 200ms

Latency < 100ms AND

Packet Loss < 1%AND

Jitter < 30ms

MultipleMeasurement Techniques

Ping HTTPTCP Echo UDP EchoTWAMP

FailoverParameters

Check Interval

Success before restore

Failure before inactive

30

FortiOS SD-WANInterface Members

Enable or Disable the sd-wan virtual interface

Configure all Interfaces and Gateways members that will be used in SD-WANSupport physical, VLAN, IPSec, 3G/4G and FortiExtenderinterfaces

SD-WAN usage dashboard. Statistics only

31

FortiOS SD-WANPerformance SLA

Protocol: Use ping or http (twamp) to test the link with the serverServer: IP address or FQDN name of the server. If two servers are configured, both needs fail to link be detected as offlineParticipants: Interfaces members for this health-check

SLA Targets (optional). Used in SD-WAN Rule SLA Strategy

Status check interval, or the time between attempting to connect to the serverNumber of failures before server is considered lostNumber of successful responses received before server is considered recovered

Enable/disable updating the static routeWhen enabled and health-check fail, FortiOS will disable static routes for inactive interfaces

32

FortiOS SD-WANRules

SD-Wan rules are top down. The order is importantIf no rule match, the implicit rule will be usedEach rule is a “policy route” inside FortiOS

33

FortiOS SD-WANTraffic Shaping

SD-WAN interface available as Traffic Shaping outgoing interface

Traffic ShapingL7 Analysis for QoS rules based on Users, Apps, URLs…Use App Classification to control, bandwidth reservation, limitation, Diffservmarking and prioritization

34

FortiManager SD-WANFeature Support

SD-WAN Central Template» You can centrally provision SD-WAN templates by specifying SD-WAN interface

members, WAN link performance criteria, and application routing priority

SD-WAN Monitoring» Map View displays SD-WAN enabled devices on Google Map with color coded

icons. Mouse over to view health performance statistics for each SD-WAN link member

» Table View provides more granular information on each SD-WAN link member such as link status, applications performance and their bandwidth usage

35

FortiManager SD-WANSD-WAN Centralized Management (per Device or Template based)

36

FortiManager SD-WANSD-WAN Monitor

SD-WAN Monitors are imported from FortiGate, so it will work even without

SD-WAN Template

In the Google Maps you can select the device and it shows all Health-Checks

Monitor show the actual status of the Health-Checks. If the value is above SLA target, this is marked as red in the graph

Zero Touch Provisioning

38

Order the FortiGates along with a FortiDeploy SKUFortinet registers your devices in FortiCloudAssign FortiManager IP to registered devicesProvision your devices in FortiManagerDeployed device will get its full configuration from FortiManagerDeployed device will fetch its management details from FortiCloud

FortiOS SD-WANZero Touch Provisioning with FortiDeploy

Customer

FortiCloudFortiCloudFortiManager FortiGate

Fortinet

SD-WAN Use Cases

40

Branch

Primary IPSec VPN

Secondary IPSec VPN

Public Cloud

Private Cloud

Critical Apps (Voice & Video)Redirected to a new tunnel when/if the primary WAN conditions are too bad

Direct secure access to Internet, SaaS and IaaS contentLoad balanced if needed.

Business Apps Load balanced across different lines so bandwidth is optimized.

Critical Apps (Voice & Video) Best path is chosen depending on latency, jitter & packet loss.

Internet

Latency = 25 msJitter = 1 msPacket Loss = 0 %BW = 200 Mbps

Latency = 30 msJitter = 2 msPacket Loss = 2 %BW = 200 Mbps

Latency = 20 msJitter = 1 msPacket Loss = 0 %BW = 200 Mbps

Enterprise SD-WAN Use Cases

41

Enterprise SD-WAN Use CasesInternet SaaS – Application Aware + Path Awareness Intelligence

InternetISP-B

InternetISP-A

Critical Apps Best path is chosen depending on latency, jitter & packet loss

Critical Apps Redirected to a new link in case the WAN conditions are better than the

threshold

Office

Not Business AppLess priority. QoS

42

Enterprise SD-WAN Use CasesMPLS backup with local breakout

MPLS

Branch

HQ

MPLS DependencyInflexible, expensive, good

QoS

Critical Apps & Secure access Redundant path through IPSec

VPN

Direct secure access to Internet, SaaS and IaaS contentNGFW + SSL Inspection

Internet

Demo

44

Demo Topolgy

45

VIELEN DANK!