
Image by: Brett Sayles
In an era where cloud-first architectures and SaaS-heavy workflows dominate the corporate landscape, traditional MPLS-only architectures are no longer sufficient to handle the unpredictable nature of internet-based traffic. Imagine a critical VoIP call dropping or a vital ERP synchronization failing simply because a primary link experienced a micro-outage that a traditional routing protocol failed to detect. This is where Fortinet SD-WAN transforms your network from a static pipe into an intelligent, application-aware fabric. In this technical deep dive, we will guide you through the end-to-end deployment of a secure SD-WAN solution using FortiGate appliances, covering everything from interface configuration to advanced security integration. By the end of this tutorial, you will have a robust blueprint for deploying high-availability, application-optimized connectivity.
Baseline requirements for Fortinet SD-WAN deployment
Before you begin typing commands into the FortiOS CLI or navigating the GUI, it is imperative to establish a solid architectural foundation. Deploying SD-WAN is not merely about grouping interfaces; it is about creating a logical overlay that can intelligently manage the underlying transport diversity. For a successful deployment, you must ensure your hardware and network topology are prepared for the computational overhead that deep packet inspection and continuous SLA probing will introduce.
Hardware and software considerations
The most critical baseline requirement is selecting a FortiGate appliance with sufficient NP6 or NP7 network processors. SD-WAN offloading is significantly more efficient when the hardware can handle session management and encryption in the silicon rather than the general CPU. Additionally, ensure your firmware is running a modern version of FortiOS (ideally 7.0 or higher), as the SD-WAN orchestration engine has seen massive improvements in the most recent releases.
Your physical topology must support multiple transport types. A robust SD-WAN deployment typically utilizes a combination of the following:
- Broadband/Fiber: High bandwidth, variable latency.
- LTE/5G: Excellent for redundancy, though subject to jitter.
- MPLS: High reliability, predictable latency, but higher cost per Mbps.
Logical network prerequisites
You cannot deploy SD-WAN if your routing table is in chaos. Before configuring the SD-WAN zone, ensure that your static routes or dynamic routing protocols (like BGP or OSPF) are prepared to hand off traffic to the SD-WAN virtual interface. You must also have a clear understanding of your IP addressing scheme to avoid overlapping subnets, especially if you plan to implement SD-WAN-based VPN tunnels to branch offices. For those looking to optimize their procurement for these deployments, checking reliable network hardware suppliers can help ensure you have the right headroom for future scaling.
Configuring SD-WAN member interfaces
The first technical step in the deployment process is moving away from individual interface-based routing and transitioning to the SD-WAN zone concept. In FortiOS, SD-WAN is treated as a logical interface that aggregates multiple physical or virtual interfaces. This abstraction allows you to apply policies to the “zone” rather than individual links, drastically simplifying your security policy management.
Step-by-step interface integration
To begin, you must first ensure that the interfaces you wish to use are not currently referenced by any existing firewall policies, static routes, or DHCP servers. If they are, you will need to remove these references before the FortiGate will allow you to add them to the SD-WAN bundle. Once the interfaces are “free,” follow these steps:
- Navigate to Network > SD-WAN.
- Select the SD-WAN Zones tab. It is best practice to create a dedicated zone (e.g., “Internet_SDWAN”) rather than using the default.
- Click Create New > SD-WAN Member.
- Select your physical interface (e.g., WAN1).
- Specify the Gateway IP for that specific link. This is crucial, as the FortiGate needs this to know how to reach the next hop for each member.
- Repeat this process for WAN2, LTE, or any other transport medium.
“A common mistake made by junior engineers is failing to define the gateway IP correctly for each member. Without a valid gateway for each link, the SD-WAN-enabled routing table cannot correctly calculate the cost of the path, leading to black-holed traffic.”
Once your members are added, your next task is to update your static routes. Instead of pointing a route to a specific interface like WAN1, you will now create a single default route (0.0.0.0/0) pointing toward the SD-WAN virtual interface. This tells the FortiGate that all outbound traffic should first pass through the SD-WAN-decision engine.
Setting up performance SLAs for health monitoring
An SD-WAN is only as “intelligent” as its ability to sense network degradation. Without Performance SLAs (Service Level Agreements), your device is simply performing load balancing based on link availability, not link quality. A link might be “up” from a physical layer perspective, but if it is experiencing 20% packet loss or 500ms of jitter, it is functionally “down” for real-time applications like Zoom or VoIP.
Defining SLA targets
To implement this, you must configure Performance SLA probes. These are lightweight packets sent across each SD-WAN member to measure real-time telemetry. You can use ICMP, HTTP, or even DNS probes. For most enterprise environments, an HTTP probe to a reliable target (like Google’ actually serves as a proxy for internet health) is recommended because it tests the full application stack.
When configuring your SLA, you must define the thresholds for:
- Latency: The time taken for a round trip. Crucial for voice.
- Jitter: The variation in latency. Crucial for video conferencing.
- Packet Loss: The percentage of lost probes. High loss triggers immediate path switching.
| Application Type | Max Latency (ms) | Max Jitter (ms) | Max Packet Loss |
|---|---|---|---|
| VoIP / SIP | < 150ms | < 30ms | < 1% |
| Video Conferencing (Zoom/Teams) | < 250ms | < 50ms | < 2% |
| Cloud ERP / SaaS | < 500ms | N/A | < 5% |
| General Web Browsing | < 1000ms | N/A | < 10% |
By setting these thresholds, the FortiGate can detect when a link no no longer meets the requirements for a specific service and move that traffic to a healthier member of the SD-WAN-bundle seamlessly, often without the end-user even noticing a momentary hicip.
Defining SD-WAN rules for intelligent traffic steering actually works
Once your members are configured and your SLAs are monitoring the health of your links, you must tell the FortiGate how to actually use this data. This is done through SD-WAN Rules. These rules act as the brain of your network, making real-time decisions on which packet goes out which interface based on the application-layer visibility provided by the FortiGate’s deep packet inspection engine.
Types of SD-WAN rules
There are several ways to steer traffic, but three primary methods dominate enterprise environments:
Implementing Application-Aware steering
The true power of Fortinet’s implementation lies in its ability to identify thousands of applications. Instead of writing a rule for a destination IP address (which is increasingly useless due to CDN usage), you write a rule for the application itself. For example, you can create a rule specifically for “Office 365” that instructs the FortiGate: “Use WAN1 as primary, but if WAN1 latency exceeds 100ms, immediately shift Office 365 traffic to WAN2.”
To do this, navigate to Network > SD-WAN > SD-WAN Rules. Create a new rule, select your source/destination, and under Strategy, select Lowest Cost (SLA). You will then select the SLA profile you created earlier. This creates a dynamic, self-healing path that adapts to real-time internet conditions.
Integrating security profiles into SD-WAN workflows
A common mistake in SD-WAN deployments is treating the “Routing” layer and the “Security” layer as separate silos. In a true Secure SD-WAN architecture, every path chosen by the SD-WAN engine must be subject to the same rigorous security inspection. Because SD-WAN involves multiple egress points (different ISPs), your security posture must be consistent regardless of which interface a packet exits through.
Unified Policy Management
In the FortiGate-centric world, the SD-WAN-zone acts as a single logical interface. This is a massive advantage for security administrators. Instead of writing fifty different firewall policies for WAN1, WAN2, and LTE, you simply write one policy where the Incoming Interface is your internal LAN and the Outgoing Interface is your SD-WAN Zone.
This allows you to apply a centralized stack of security profiles to all SD-WAN traffic, including:
- IPS (Intrusion Prevention System): To block exploits targeting your cloud services.
- Web Filtering: To ensure that even when traffic shifts to a secondary link, users cannot access malicious domains.
- Application Control: To prevent users from using high-bandwidth applications (like BitTorrent) that could degrade the quality of your prioritized SD-WAN-steered traffic.
- SSL Inspection: Essential for modern security, as over 90% of web traffic is encrypted. Without inspecting this traffic, your SD-WAN is essentially blind to threats hidden within HTTPS streams.
By integrating security at the zone level, you ensure that a “failover” event does not result in a “security bypass” event. As the traffic moves from a high-speed fiber link to a lower-speed LTE backup, the-FortiGate continues to apply the same deep-packet inspection-ensuring that security is never sacrificed for connectivity.
Best practices for enterprise SD-WAN management
As you move from a lab environment to a production deployment, keep these professional recommendations in mind to ensure long-term stability and visibility.
1. Implement “Failback” carefully
When a link recovers from a failure, the default behavior might be to move all traffic back to that link immediately. This can cause “flapping” if the link is unstable. Always configure a hold-down timer or a “recovery threshold” to ensure the link is truly stable before shifting mission-critical traffic back to it.
2. Use granular SLA probes
Don’t just ping 8.8.8.8. If your primary application is Microsoft Teams, your SLA probes should mimic the behavior of that application. This means testing for jitter and latency in a way that reflects the actual user experience. Consider using Quality of Service (QoS) principles to prioritize these probes so they aren’t dropped during periods of congestion.
3. Monitor via SD-WAN Orchestration
For large-scale deployments with multiple branches, managing individual FortiGate units via CLI or local GUI is unmanageable. Utilize FortiManager to push SD-WAN templates across your entire fabric. This ensures consistency in your SLA settings and-more importantly-your security policies.
Frequently asked questions
What is the difference between SD-WAN and traditional WAN?
Traditional WAN relies on static routing or protocols like BGP that primarily care about “is the link up or down.” SD-WAN is application-aware; it cares about “how good is the link for this specific application.” It can differentiate between a YouTube video (low priority) and a VoIP call (high priority) and route them accordingly.
Can I use SD-WAN over an IPsec VPN?
Yes, absolutely. In fact, this is a common use case. You can create SD-WAN members that are actually IPsec tunnels between sites, allowing you to load-balance traffic across multiple VPN connections for improved branch connectivity.
Will adding SD-WAN increase my latency?
Theoretically, the processing of packets through the SD-WAN engine adds a negligible amount of latency (microseconds). However, in practice,-because SD-WAN selects the most efficient path based on real-time metrics, the end-to-end latency perceived by the user is almost always significantly lower than traditional routing.
Do I need special hardware for SD-WAN?
While most FortiGate models support SD-WAN features, high-performance environments benefit from hardware with dedicated NP (Network Processor)-based offloading. This ensures that the heavy lifting of packet steering and encryption doesn’ ever impact the main CPU.
Conclusion
Deploying SD-WAN is a transformative step for any network engineering team. By moving away from static, interface-based routing and adopting an application-aware, SLA-driven approach, you create a network that is not only more resilient but also significantly more efficient. We have covered the critical lifecycle of deployment: from setting up member interfaces and defining the logical zones, to configuring the performance probes that provide the “intelligence,” and finally, integrating the security protocols that keep your edge safe.
Remember, a successful SD-WAN deployment is not a “set and forget” project. It requires constant monitoring of SLA thresholds and periodic tuning of steering rules as your application landscape evolves. If you are ready to take your network to the next level, start by auditing your existing transport links and preparing your device capacity for the intelligence that SD-WAN brings. For more detailed hardware evaluations, visit our product guide today.
