SERV ICE DESCRIPTION

QUICKSTART SD-WAN

1. Introduction
The QuickStart SD-WAN service is a consulting services that provides assistance to the Customer for the deployment of a
pre-defined FortiGate™ SD-WAN configuration into the Customer’s environment (the “Service”). The Service aims at helping
Customers to accelerate time-to-adoption of their SD-WAN network based on pre-defined, standardized phases. Fortinet
expertise is provided through a number of remote technical sessions that assess the Customers communicated
requirements and assist for the introduction of the FortiGate SD-WAN feature.

This Service is made available as part of the QuickStart Suite as described in the then-current QuickStart Suite service
description made available at https://support.fortinet.com/Information/DocumentList.aspx (the “QuickStart Suite Service
Description”). The QuickStart Suite Service Description is incorporated herein by reference, and, in the event of a conflict,
this service description shall prevail over the QuickStart Suite Service Description.

The Service is available in three different pre-packaged* options to be selected by the Customer, designed to align with the
varying configurations and requirements of each Customer (the “Service Options”):

* “Pre-packaged” means that the task and the structure and sequence of the performance of these tasks is pre-determined
by Fortinet.

Option 1. Standalone site Service Option

The Standalone site Service Option covers the deployment of a direct internet access model used when local internet
breakout at a location is required (the “Standalone site Service Options”). This is typically SaaS applications or websites,
located on the internet, which the branches will access directly. The SD-WAN functionality is needed to decide the best
path between multiple WAN links, allowing for a much more efficient use of WAN bandwidth and improved user
experience. This applies to new or existing environments.

Option 2. Hub and Spoke Service Option

The Hub and Spoke Service Option covers greenfield deployments of a single datacenter for an enterprise SD-WAN
topology, providing the Customer with expertise to deploy FortiGate SD-WAN functionality on a hub and up to pre-
defined number of branches (the “Hub and Spoke Service Option”). In this model a branch FortiGate device initiates an
IPsec connection to a central location which is the hub FortiGate in the datacenter. iBGP is used to exchange routes
between the branch and the datacenter. It leverages ADVPN and FortiManager™ features.

Option 3. Hub and Spoke with ZTP Service Option

The Hub and Spoke with ZTP Service Option has the same objective as the Hub and Spoke Service Option but using the
Zero-Touch Provisioning (‘ZTP’) deployment mode (the “Hub and Spoke with ZTP Service Option”). ZTP refers to the fact
that no configuration action and no expertise is needed on branch sites. This enables large scales and faster
deployments of Secure SD-WAN.
Service Options

Hub and Spoke (Single DC)

SDWAN Standalone site Hub and spoke (Single DC)
with ZTP
Single SD-WAN zone with up to 3 Single DC hub (or HA pair) with up Single DC hub (or HA pair) with up
Sizing of the technical environment
WAN/DIA links to 5 branches to 2 branches
Number of Underlays (physical
3 Up to 2 Up to 2
network connections)
Number of Overlays (virtual network
N/A Up to 2 Up to 2
connections on top of underlay)
Up to 10 SDWAN rules Up to 10 SDWAN rules
Device profiling rules Up to 10 SDWAN rules
Up to 10 firewall policies Up to 10 firewall policies
Go-live events assistance sessions 1 Up to 3 Up to 3

FORTINET PUBLIC – CUSTOMERS AND PARTNERS #870-2430 v1.0 P a g e | 1 of 5

QuickStart SD-WAN
2. Project initiation and Service Sequences
The project initiation consists of gathering the Customer requirements and identifying the stakeholders, the Service will
subsequently be delivered in successive phases that have the following objectives:

1. Requirements review and planning – First project delivery phase to review the requirements and define milestones
and tasks, agree on the project schedule, and review any risks, assumptions, dependencies, and technicalities.
2. Installation and configuration – Second phase to configure the Service purchased based on the scope agreed upon
in the previous phases whilst maintaining the highest quality standards.
3. Go-Live Event plan – Third phase to assist in the planning of the Go-Live activity.
4. Knowledge transfer – Fourth phase to conduct a knowledge transfer session with the Customer.
5. Go-Live Event assistance – Fifth phase to assist the Customer during the Go-Live Event.
6. Configuration Adjustments – Sixth and final phase to analyze and adjust the deployed configuration if necessary.

3. Service Scope
Fortinet will use reasonable efforts to assist the Customer with following activities in accordance with the following defined
phases.

Project Initiation
Fortinet will provide a questionnaire to the Customer. The intent of this questionnaire will be to obtain technical details of
the configuration specific to the Customer’s environment and the key stakeholders. Such questionnaire shall be carefully
filled out in detail and returned by Customer to Fortinet within 5 (five) business days. This is a pre-requisite for progression
to Phase 1.

Example configuration elements requested in the questionnaire:

• Systems settings (high availability, administrative access)
• Number and type of WAN links
• IP addressing plan
• Initial application steering requirements
• Logging and management integration

Phase 1 – Requirements review and Planning

Fortinet will conduct a conference call with the Customer for the purpose of:
• Reviewing the questionnaire with the aim of understanding the Customer’s environment and confirming the
configuration required for the successful delivery of the Service.
• Discussing any outstanding technical points.
• Agreeing on a method for secure data exchange.
• Establishing a project plan, including activities such as project milestones, list of tasks and owners, and risks,
assumptions, and dependencies.

The outcome of this session will be delivered in the form of an As-Built Document, a document that describes key
implementation elements of the deployed configuration (“As-Built Document”). The As-Built Document will be updated on
the basis of successive phases throughout the duration of the project and completed during the Go-live Event plan if
required. It will be provided as a PDF in English and is to be approved or signed by the Customer within five (5) business
days of receipt, to verify the expected engagement.

Phase 2 – Installation and configuration

The FortiGate SD-WAN configuration will be prepared based on the requirements agreed during Phase 1 and integrated to
the As-Built Document. The objective is to describe the implementation elements of the deployed configuration and to
include a functional test plan with some essential test cases to be executed. A conference call will be scheduled during which
time Fortinet will review and mutually agree the prepared FortiGate SD-WAN configuration, including the test plan.

Based on the Service Option chosen, Fortinet will then work with the Customer to provision the FortiGate SD-WAN through
one of the following elements:

FORTINET PUBLIC – CUSTOMERS AND PARTNERS #870-2430 v1.0 P a g e | 2 of 5

QuickStart SD-WAN
Elements specific to SD-WAN Service Options:

Option 1. Standalone Site Service Option

• Fortinet will assist the Customer with completion any provisioning of the FortiGate product as well as, if the case
applies, the onboarding into the existing FortiManager™ and FortiAnalyzer™.
• Preparation of FortiGate configuration based on the requirements gathered during Phase 1.
• Assist the Customer in loading the configuration into FortiGate.
• Perform the functional SD-WAN tests of the new FortiGate configuration prior to the production Go-Live. During
this test we are measuring the jitter, latency, and packet loss of the WAN/Internet underlay.

Option 2. Hub and Spoke Service Option

• Fortinet will assist the Customer with the completion of any provisioning of the FortiGate hub and branches as well
as, if the case applies, the onboarding into the FortiManager™ and FortiAnalyzer™.
• Preparation of FortiGate configuration or configuration templates in FortiManager, based on the requirements
gathered during Phase 1.
• Assist the Customer in the commissioning of the hub and branches configuration directly on the FortiGate or by
manual onboarding in FortiManager.
• Perform the functional SD-WAN tests of the new FortiGate configuration prior to the production Go-Live. Examples
of typical checks are IPSEC, BGP, High-Availability on branches.

Option 3. Hub and Spoke with ZTP Service Option

• The same steps as described in the Hub and Spoke service option will be delivered using the zero-touch rollout
methodology leveraging the configuration templates in FortiManager, with the addition of ZTP specific tests to be
performed on a target FortiGate from one of the Customer's branches (or in a Customer's similar lab environment)
prior to the production Go-Live Event.

Phase 3 – Go-Live Event plan

As the Customer creates the Go-Live Event plan, Fortinet will provide inputs in relation to the Fortinet SD-WAN environment
covered by the Service during 1 (one) Go/ No-Go conference call of up to two (2) hours.
Following this session, Fortinet will provide the final version of the As-Built document and ensure all the activities pertaining
to this engagement are documented.

Phase 4 – Knowledge transfer

Fortinet will conduct a knowledge transfer session via a conference call of up to two (2) hours with the Customer
in order to familiarize them with the Fortinet SD-WAN environment prior to the Go-Live Event.

Phase 5 – Go-Live Event assistance

Fortinet will assist the Customer during one or several Go-Live Event deployment sessions of up to four (4) hours each
session, which will be scheduled during business hours as follows:
• For the Standalone Service Option, one (1) Go-Live Event assistance.
• For the Hub and Spoke Service Options, up to three (3) Go-Live Event assistances, including one (1) Go-Live Event
assistance for the hub and up to two (2) Go-Live Event assistances for the branches.

Phase 6 – Configuration Adjustments

Fortinet will set up a conference call of up to two (2) hours with the Customer to analyze the behavior of the newly deployed
SD-WAN configuration and, if required, assist the Customer in tuning the SD-WAN settings for a better user experience. This
event will take place no more than one (1) week succeeding the latest go-live event assistance.

After the delivery of Phase 6, a Work Complete document will be sent and shall be signed by the Customer to confirm Service
completion in accordance with the QuickStart Suite Service Description.

FORTINET PUBLIC – CUSTOMERS AND PARTNERS #870-2430 v1.0 P a g e | 3 of 5

QuickStart SD-WAN
4. Technical Definitions, Assumptions & Exclusions

Service Exclusions – Services not performed:

In addition to the General Exclusions included in the QuickStart Suite Service Description, the following exclusions apply:
• Provision of a turn-key or ready-made installation solution
• For VM based devices: design, configuration, testing, optimization, and benchmarking.
• Physical installation and environment (e.g., site surveys, racking, cabling, power, air conditioning).
• The zero-touch provisioning method of procedure does not cover third party devices/tools or external scripting.
• Advanced UTM features; SSL Deep Inspection, Video Filter, DNS Filter, DDoS protection, Web Application Firewall,
DLP, File Filter, Sandboxing, VoIP filter and SSH inspection
• FortiGate/FortiManager/FortiAnalyzer hardening
• Other features such as, FortiLink, Explicit Proxy, Authentication protocols or directory integration, PKI, SAML, LDAP,
QoS or Traffic Shaping.
• FortiAnalyzer report creation with customized dataset.
• VDOM on FortiGate
Any Integration related to the following elements are also excluded:
• Any component of the Security Fabric to which the FortiGate interconnects will not be upgraded as part of this
engagement, for example: FortiNAC™, FortiSandbox™ or FortiClient EMS™, FortiAnalyzer.
• FortiGate firewalls that are integrated into an SDN, such as Cisco ACI or OpenStack, and which use connectors to
dynamically alter the configuration and security composition of the FortiGate.
• Any modification or deployment to user client-side applications, such as FortiClient, is not supported as part of this
engagement.
• Any FortiGate installations that have specific integrations with third party systems, such as providing transparent
proxy services via an external redirection technique like WCCP.
• Scripting, development, or any DevOps activity, including but not limited to orchestration, automation, ansible,
Terraform, or API.

Global Service Assumptions:

In addition to the General Assumptions included in the QuickStart Suite Service Description, the following assumptions
apply:
• QuickStart provides technical assistance but does not offer a turn-key or ready-made solution.
• Software release will be solely based upon recommended General Availability (‘GA’) release. The mains OS stream
for FortiGate, FortiAnalyzer, and FortiManager will be 7.0.x for the Standalone Service Option and 7.2.x for the Hub
and Spokes Service Options.
• The hub or branch FortiGate can be either in standalone or HA clustering mode.
• For a new deployment which utilizes FortiManager or FortiAnalyzer, Fortinet will incorporate one (1) or each device
in standalone mode onto the Customer's chosen platform and configure them with a single ADOM into which the
configuration and policy of the deployed FortiGate will be imported to.
• All tests must be carried out either in the Customer’s environment prior to the production, or in the Customer's lab
environment using the same hardware and firmware versions.

Service Assumptions for the Standalone Site Service Option

• This option cover both "Greenfield" and existing environment.
o For Greenfield environments it means the new product deployed will not be taking over the role of a
similar pre-situated network security device nor will any prior configuration be converted for use on the
new deployment.
o For existing environment it implies that the Customer remains responsible for the routing and topology
changes other than those necessary to complete the implementation. Customer must have a FortiGate
with static routing/DHCP for DIA/WAN/ISP links, and up to 100 policies that will need to reference the new
SD-WAN zone.
• As part of this use case, edge locations may consist of many different WAN types. The FortiGate SD-WAN solution
is transport agnostic and can be mixed and matched with several different WAN types, including MPLS through
Ethernet handoff, internet, and LTE.
FORTINET PUBLIC – CUSTOMERS AND PARTNERS #870-2430 v1.0 P a g e | 4 of 5
QuickStart SD-WAN
Service Assumptions for the Hub and Spoke Service Options
• This Service Option only covers "Greenfield" environment, meaning the new product deployed will not be taking
over the role of a similar pre-situated network security device nor will any prior configuration be converted for use
on the new deployment.
• The FortiGate Hub include VM devices or hardware appliances, excluding chassis based FortiGate.
• For VM based FortiGate in the hub, the customer is responsible for deploying the products and all networking
infrastructure pertinent to requirements (WAN and LAN access, connectivity for HA).
• All branches must be the same FortiGate model.
• The SD-WAN topology is limited to two (2) underlays and overlays on hub and branches, and one (1) interface
(physical or VLAN) on the LAN side.
• It is considered that the configurations will be "underlay" agnostic. They can therefore cover combinations of MPLS
& Internet, or Internet & Internet, or MPLS & MPLS.
• Where dynamic routing configuration is required on the LAN side of the hub or the branches (OSPF or BGP), Fortinet
will make reasonable efforts to provide the initial baseline integration with the Customer's routing environment;
complex or specific bespoke configurations would be owned by the Customer (ex: traffic engineering).
• For Zero Touch Provisioning:
o The branch FortiGate are appliances with DHCP enabled by default on the WAN interfaces. The branch
FortiGate’s must get the option 240 from a DHCP server on their wan interfaces, or the Customer must
have purchased and previsioned the FortiDeploy™ services.
o An initial Zero Touch Provisioning test must be performed on a pre-pilot Customer's FortiGate
representative of a target branch device.

5. Customer Requirements & Responsibilities

In addition to the Customer requirements and responsibilities included in the QuickStart Suite Service Description, the
Customer agrees for the duration of the Service to:
• For the initial provisioning:
o Manage the racking, cabling and power of the Fortinet products in scope
o Upgrade all Fortinet products in scope to a recommended General Availability (‘GA’) firmware release
supporting the SD-WAN functionality.
o Provide an IP or console access to Fortinet.

6. Scope & Conditions

In addition to the scope and conditions included in the QuickStart Suite Service Description, the following terms apply:
• The duration of the Service delivery shall be in accordance with the QuickStart Suite Service Description.
• This Service is governed by the then-current Fortinet Service Terms and Conditions located at
https://www.fortinet.com/content/dam/fortinet/assets/legal/Fortinet-Service-Offering-Terms.pdf.

7. Eligibility & Purchasing

The QuickStart Service is available for purchase by an end-customer (the “Customer”) from authorized Fortinet resellers and
distributors (“Channel Partners”). Channel Partners are independent third parties that conduct business in their own name
and account and, consequently, cannot bind Fortinet in any way. The QuickStart Service is delivered to the Customer on
behalf of the Channel Partner, as referenced in the purchase order placed with Fortinet by the Channel Partner.

If the Service Registration or the QuickStart Service delivery commencement does not occur within the allowable time period
in accordance with the Fortinet Service Terms and Conditions, the Service will be forfeited without any right to obtain
refund. In no circumstances will the duration of the QuickStart Service availability be extended. All sales are final.

SKU Description
FP-10-QSSDWAN-DP1-00-00 SD-WAN QuickStart Deployment – Standalone Site
FP-10-QSSDWAN-DP2-00-00 SD-WAN QuickStart Deployment – Hub and Spoke
FP-10-QSSDWAN-DP3-00-00 SD-WAN QuickStart Deployment – Hub and Spoke with ZTP

FORTINET PUBLIC – CUSTOMERS AND PARTNERS #870-2430 v1.0 P a g e | 5 of 5

QuickStart SD-WAN