Scribd Logo
Upload

Welcome to Scribd!

  • 100 views

    Fortigate Infrastructure: Software-Defined Wan

    Uploaded by

    rego680

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Fortigate Infrastructure: Software-Defined Wan

    Uploaded by

    rego680
    100 views37 pages

    Original Title

    FortiGate_Inf_02_SDWAN

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    100 views37 pages

    Fortigate Infrastructure: Software-Defined Wan

    Uploaded by

    rego680

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 37

    FortiGate Infrastructure

    Software-Defined WAN

    FortiOS 6.0.0

    © Copyright Fortinet Inc. All rights reserved. Last Modified: Sunday, October 04, 2020
    Lesson Overview

    Introduction to Software-Defined WAN

    SD-WAN Performance SLA

    SD-WAN Rules

    SD-WAN Diagnostics

    2
    Introduction to Software-Defined WAN (SD-WAN)

    Objectives
    • Identify use cases for SD-WAN
    • Identify the implementation requirements for SD-WAN
    • Configure SD-WAN virtual link and load balancing
    • Configure static routes and firewall policies for SD-WAN
    What is SD-WAN?
    • Virtual interface consisting of a group of member interfaces that can be connected
    to different link types
    • Allows effective WAN usage with various load balancing algorithms
    • Supports link quality measurement
    o Dynamic link selection based on link quality
    HQ/Datacenter
    o Ensures high availability of business critical applications

    MPLS Public Cloud

    SaaS
    3G/4G

    Branch Office

    4
    Enterprise SD-WAN Use Cases
    MPLS Migration
    MPLS
    MPLS Dependency
    Dependency
    Inflexible,
    Inflexible, expensive,
    expensive, good
    goodQoS
    QoS

    MPLS
    Private Cloud

    Branch

    Traffic
    Traffic secured
    secured ininthe
    the MPLS
    MPLS
    Business
    BusinessApps Apps Provider Cloud
    Provider Cloud
    All traffic routed
    All traffic routed Breakout
    Breakout in in the
    theprovider
    provider cloud
    cloud
    through
    through MPLS
    MPLS circuits.
    circuits. for all traffic.
    for all traffic.
    QoS
    QoS applied
    applied for
    for Public Cloud
    business
    business apps.
    apps.

    Internet

    5
    Enterprise SD-WAN Use Cases
    MPLS backup with local breakout
    Critical
    CriticalApps
    Apps (Voice
    (Voice&& Video)
    Video)
    Best path is chosen depending
    Best path is chosen depending
    on
    on latency,
    latency, jitter,
    jitter, and
    andpacket
    packet
    loss.
    loss.

    MPLS
    Private Cloud

    Critical
    CriticalApps
    Apps (Voice
    (Voice && Video)
    Video)
    Branch Redirected
    Redirected to a new tunnelin
    to a new tunnel incase
    casethe
    the WAN
    WAN
    conditions are worse than the threshold.
    conditions are worse than the threshold.
    IPSec VPN

    Business
    BusinessAppsApps
    Load
    Load balanced across
    balanced across Direct
    Direct secure
    secureaccess
    access to to Internet,
    Internet,
    different lines so
    different lines so SaaS and IaaS content
    SaaS and IaaS content
    bandwidth Load
    Loadbalanced
    balanced ifif needed.
    bandwidth isis needed.
    optimized. Public Cloud
    optimized.

    Internet

    6
    Enterprise SD-WAN Use Cases
    MPLS Replacement
    Critical
    CriticalApps
    Apps (Voice
    (Voice&& Video)
    Video)
    Best path is chosen depending
    Best path is chosen depending
    on
    on latency,
    latency, jitter,
    jitter, and
    andpacket
    packet
    loss.
    loss.

    IPSec VPN
    Private Cloud

    Critical
    CriticalApps
    Apps (Voice
    (Voice && Video)
    Video)
    Branch Redirected
    Redirected to a new tunnelin
    to a new tunnel incase
    casethe
    the WAN
    WAN
    conditions are worse than the threshold.
    conditions are worse than the threshold.
    IPSec VPN

    Business
    BusinessAppsApps
    Load
    Load balanced across
    balanced across Direct
    Direct secure
    secureaccess
    access to to Internet,
    Internet,
    different lines so
    different lines so SaaS, and IaaS content
    SaaS, and IaaS content
    bandwidth Load
    Loadbalanced
    balanced ifif needed.
    bandwidth isis needed.
    optimized. Public Cloud
    optimized.

    Internet

    7
    SD-WAN Configuration
    • Specify at least two member interfaces and their associated gateways
    o Interfaces should not be referenced by any other configuration element (for example, routes or
    policies)
    o Supports aggregate, VLAN, and IPsec interfaces
    • An implicit rule is automatically generated for balancing the traffic
    Network > SD-WAN

    Member
    Member interfaces
    interfaces

    Network > SD-WAN Rules

    8
    SD-WAN Load Balancing Methods
    • Source IP (default)
    o Sessions from the same source IP address use the same interface.
    • Source-destination IP
    o Sessions with the same source and destination IP pair use the same interface.
    • Spillover
    o Use one interface until threshold is reached; then, use the next interface.
    • Sessions
    o The number of sessions distributed is determined by the interface weights.
    • Volume
    o Sessions are distributed so that traffic volume is distributed by the interface weights.

    9
    SD-WAN Virtual Interface
    • The sd-wan virtual interface is automatically created
    o All static routes and firewall policies must be configured using this virtual interface

    Network > Interfaces

    Policy & Objects > IPv4 Policy

    Network > Static Routes

    10
    SD-WAN Routes in the Routing Table
    Network > Static Routes

    Even
    Even though
    though you
    you must
    must configure
    configure
    routes
    routes using the sd-wan virtual
    using the sd-wan virtual
    interface,
    interface, FortiGate
    FortiGate installs
    installs
    individual
    individual routes
    routes for
    for the
    the member
    member
    interfaces
    interfaces in
    in the
    the routing
    routing table.
    table.

    # get router info routing-table all


    ...omitted output...

    S* 0.0.0.0/0 [1/0] via 10.200.2.254, port2


    [1/0] via 10.200.1.254, port1
    C 10.200.2.0/24 is directly connected, port2
    C 10.200.1.0/24 is directly connected, port1

    11
    Knowledge Check
    1. Which method of load balancing is supported by SD-WAN but not supported by
    ECMP routing?
    A. Sessions
    B. Volume

    2. Which of the following configuration tasks is correct when implementing SD-WAN?


    A. Configure a default route using the sd-wan virtual interface.
    B. Configure firewall policies for each individual member interfaces

    12
    Lesson Progress

    Introduction to Software-Defined WAN

    SD-WAN Performance SLA

    SD-WAN Rules

    SD-WAN Diagnostics

    13
    SD-WAN Performance SLA
    Objectives
    • Configure SD-WAN performance SLA
    • Identify how FortiGate measures link quality
    Performance SLA
    Network > Performance SLA

    Link Health Monitor

    SLA Targets

    15
    Performance SLA-Link Health Monitor
    • Status Check is renamed Performance SLA
    • You can use two servers to test the quality of a link
    • You can specify which SD-WAN members this SLA applies to

    Available
    Available Protocols
    Protocols Through
    Through CLI:
    CLI:
    Network > Performance SLA
    ping
    ping PING
    PING link
    link monitor
    monitor
    http
    http HTTP-GET
    HTTP-GET linklink monitor
    monitor
    tcp-echo
    tcp-echo TCP
    TCP echo
    echo link
    link monitor
    monitor
    udp-echo
    udp-echo UDP
    UDP echo
    echo link
    link monitor
    monitor
    TWAMP
    TWAMP Two-Way
    Two-Way Active
    Active Measurement
    Measurement Protocol
    Protocol

    Use
    Use an
    an IP
    IP address
    address or
    or FQDN
    FQDN of of aa server
    server
    located
    located beyond
    beyond the
    the ISP
    ISP gateway
    gateway

    16
    Link Quality Measurements
    • Status check also measures the link quality of each member interface based on
    latency, jitter, and packet loss percentage

    Network > Performance SLA

    17
    Performance SLA-SLA Targets
    Network > Performance SLA
    • You can specify multiple SLA targets
    in one performance SLA

    • Only used when referenced by a rule

    • Check Interval, failure and restore


    limits are used to prevent flapping

    Automatically
    Automatically disables
    disables static
    static routes
    routes for
    for
    inactive
    inactive interfaces,
    interfaces, and
    and restore
    restore routes
    routes
    on interface recovery
    on interface recovery

    18
    SD-WAN Performance SLA CLI Configuration
    # config system virtual-wan-link
    Alternate
    Alternate status
    status check
    check
    # set status enable
    protocols
    protocols that
    that are
    are not
    not
    # config health-check available
    available on
    on the
    the GUI.
    GUI.
    # edit <name>
    # set protocol [ ping | tcp-echo | udp-echo | http | twamp ] Warning
    Warning and and alert
    alert thresholds
    thresholds
    for
    for the
    the different
    different link
    link quality
    quality
    # set threshold-warning-packetloss <percentage>
    measurement
    measurement metrics
    metrics can
    can be
    be
    # set threshold-alert-packetloss <percentage> configured
    configured on on the
    the CLI.
    CLI.
    # set threshold-warning-latency <ms>
    # set threshold-alert-latency <ms>
    # set threshold-warning-jitter <ms> Multiple
    Multiple SLA
    SLA targets
    targets with
    with
    # set threshold-alert-jitter <ms> different
    different values
    values can
    can be
    be
    configured
    configured on
    on GUI
    GUI and
    and CLI
    CLI
    # config sla
    # edit <id>
    # set link-cost-factor [latency | jitter | packet-loss]
    # set latency-threshold <integer> (0 - 10000000, default = 5)
    # set jitter-threshold <integer> (0 - 10000000, default = 5)
    # set packetloss-threshold <integer> (0 - 100, default = 0)
    # next

    19
    Knowledge Check
    1. Which one of the following link attributes is used in SD-WAN link quality
    measurements?
    A. Cost
    B. Latency

    2. Which of the following status check protocols is only available from the CLI?
    A. TCP-Echo
    B. HTTP

    20
    Lesson Progress

    Introduction to Software-Defined WAN

    SD-WAN Performance SLA

    SD-WAN Rules

    SD-WAN Diagnostics

    21
    SD-WAN Rules
    Objectives
    • Identify SD-WAN rule matching criteria.
    • Configure dynamic link selection based on link quality.
    SD-WAN Rules
    Network > SD-WAN Rules • Route traffic through the member interfaces with
    the best link quality
    o Link quality measured based on latency, jitter, or packet
    loss percentage
    • Rules can match traffic based on:
    o Source IP address, destination IP address, or port
    number
    o Internet services database (ISDB) address object
    o Users or user groups
    o Type of service (ToS)

    Network > SD-WAN Rules

    Skype
    Skype traffic
    traffic will
    will be
    be dynamically
    dynamically
    routed
    routed to
    to the
    the member
    member interface
    interface
    with
    with the
    the least
    least amount
    amount ofof
    latency.
    latency.

    23
    SD-WAN Rules–Internet Services
    Internet Service Application Control
    Destination Type > Internet Services

    • The use of Internet Service


    makes Application Control easy

    24
    SD-WAN Rules-Best Quality
    Network > SD-WAN Rules

    Network > SD-WAN Rules

    Link Quality = (a*latency)+(b*jitter)+(c*packet loss)+(d/bandwidth)


    25
    SD-WAN Rules-Minimum Quality (SLA)
    Network > Performance SLA Network > SD-WAN Rules

    26
    SD-WAN Rules
    • SD-WAN rules are evaluated in the same way as the firewall policies: from top to
    bottom, using the first match
    Application-specific rules

    Implicit rule

    • Double-click the implicit rule to display the load balancing options


    27
    SD-WAN Rules
    • SD-WAN rules are treated as policy-based routes
    Network > SD-WAN Rules

    Monitor > Routing Monitor

    28
    Knowledge Check
    1. Which of the following is an SD-WAN rule matching parameter for traffic sources?
    A. User groups
    B. IPS signatures

    2. You can configure SD-WAN rules to choose the egress interface based on which
    one of the following parameters?
    A. Cost
    B. Latency

    29
    Lesson Progress

    Introduction to Software-Defined WAN

    SD-WAN Performance SLA

    SD-WAN Rules

    SD-WAN Diagnostics

    30
    SD-WAN Diagnostics
    Objectives
    • Monitor SD-WAN link usage
    • Monitor SD-WAN link quality status
    • Verify SD-WAN traffic routing
    SD-WAN Usage Monitor
    • Real time SD-WAN usage monitor
    o View SD-WAN traffic distribution by bandwidth or volume
    Volume
    Volume of of
    traffic
    traffic sent
    sent and
    and
    received per
    received per
    Network > SD-WAN
    member
    member Number
    Number ofof sessions
    sessions
    Bandwidth
    Bandwidth interface
    interface passing
    passing through per
    through per
    utilization
    utilization by
    by member
    member interface
    interface
    each
    each
    member
    member
    interface
    interface

    32
    SD-WAN Link Status Monitoring
    Network > Performance SLA

    Log & Report > System Events

    33
    Verify SD-WAN Traffic Routing
    • Use the Forward Traffic logs or the packet capture tool to verify traffic routing
    Log & Report > Forward Traffic

    The
    The filter
    filter will
    will match
    match any
    any packets
    packets
    with
    with the SYN flag
    the SYN flag on,
    on, so
    so the
    the
    sniffer
    sniffer output
    output will
    will show
    show all
    all SYN
    SYN
    packets to port 443 (HTTPS).
    packets to port 443 (HTTPS).

    # diagnose sniffer packet any 'tcp[13]&2==2 and port 443' 4


    5.455914 port1 out 192.168.1.254.59785 -> 192.168.1.11.443: syn 457459
    5.455930 port2 out 192.168.1.11.443 -> 192.168.1.254.59785: syn 163440 ack 457460
    5.455979 port2 out 192.168.1.32.49573 -> 192.168.1.25.443 : syn 927943
    5.456043 port1 out 192.168.1.21.54711 -> 192.168.1.114.443: syn 930863

    34
    Knowledge Check
    1. Which of the following should be used to monitor the session distribution across
    the SD-WAN member interfaces?
    A. SD-WAN Link Status monitor
    B. SD-WAN Usage monitor

    2. When verifying SD-WAN traffic routing with the CLI packet capture tool,
    which verbosity level should you use?
    A. 1
    B. 4

    35
    Lesson Progress

    Introduction to Software-Defined WAN

    SD-WAN Performance SLA

    SD-WAN Rules

    Diagnostics

    36
    Review

     Identify use cases for SD-WAN


     Identify the implementation requirements for SD-WAN
     Configure SD-WAN virtual link and load balancing
     Configure static routes and firewall policies for SD-WAN
     Configure SD-WAN status check
     Identify how FortiGate measures link quality
     Identify SD-WAN rule matching criteria
     Configure dynamic link selection based on link quality
     Monitor SD-WAN link usage
     Monitor SD-WAN link quality status
     Verify SD-WAN traffic routing

    You might also like