
Image by: Brett Sayles
In an era where cloud-first applications like Microsoft 365, Zoom, and Salesforce dictate business productivity, traditional WAN architectures are no longer sufficient. A single millisecond of jitter can derail a high-stakes executive video conference, and a momentary brownout on a primary MPLS circuit can cripple an entire branch office. For network engineers, the challenge is no longer just connectivity, but secure SD-WAN deployment that ensures application availability. This technical tutorial provides a deep dive into deploying a robust SD-WAN solution using Fortinet FortiGate appliances. We will guide you through the entire lifecycle: from baseline requirements and interface configuration to advanced SLA monitoring and the seamless integration of security profiles to protect your distributed enterprise.
Understanding the architecture of Fortinet SD-WAN
Before touching the CLI or the GUI, it is vital to understand that Fortinet’ actually integrates SD-WAN capabilities directly into the FortiOS operating system. Unlike legacy vendors who may require a separate overlay controller, Fortinet provides a unified approach where the security appliance acts as both the edge router and the security gateway. This convergence is what industry experts refer to as the Secure SD-WAN paradigm.
The architecture relies on a combination of transport-agnostic routing and intelligent path selection. Whether you are utilizing expensive MPLS circuits, commodity broadband, or 5G LTE, the FortiGate treats these as logical members of an SD-WAN zone. This abstraction allows the engineer to move away from static routing toward policy-based path selection. By using the Software-Defined Wide Area Network (SD-WAN) concept, you can decouple the control plane from the physical hardware, allowing for much more granular control over how traffic traverses your network.
Key architectural components include:
- SD-WAN Zones: Logical groupings of interfaces that simplify policy application.
- Performance SLA: The “brain” that monitors link health via probes.
- SD-WAN Rules: The logic engine that decides which interface a specific packet should take based on real-time metrics.
When planning your deployment, consider the scale of your environment. For small branch offices, a FortiGate 40F or 60F might suffice, whereas a regional hub may require a high-throughput appliance. Proper capacity planning ensures that the overhead of SD-WAN probes and encryption (if using IPsec) does not degrade the very performance you are trying to optimize.
Baseline requirements and pre-configuration checklist
A successful secure SD-WAN deployment does not begin with the configuration wizard; it begins with a rigorous audit of your existing infrastructure. Skipping this phase is the most common reason for deployment failures and unexpected downtime. You must ensure that your physical layer is stable before attempting to build logical overlays.
Hardware and software prerequisites
First, ensure your FortiOS version is up to date. While SD-WAN features have matured significantly, the latest versions (7.x and above) offer enhanced visibility and better integration with FortiManager. Secondly, verify that your ISP handoffs are delivering the promised bandwidth and, more importantly, the promised latency. A “dirty” circuit with high packet loss will render even the most advanced SD-WAN rules ineffective.
Next, evaluate your IP addressing-scheme. SD-WAN thrives on clear segmentation. We recommend having a dedicated management VLAN and ensuring that your WAN interface IP ranges do not overlap with your internal LAN or any remote site VPCs. If you are managing multiple sites, leveraging Fortinet’s centralized management via FortiManager is highly recommended to maintain configuration consistency.
Comparative resource requirements
Before deployment, use the following table to assess if your current hardware can handle the added overhead of SD-WAN telemetry and security inspection.
| Metric | Small Branch (e.g., 40F) | Mid-Sized Office (e.g., 100F) | Large Campus (e.s. 600F) |
|---|---|---|---|
| Max Concurrent Tunnels | ~2,000 | ~10,000 | unlimited (hardware-bound) |
| SD-WAN Probe Overhead | Minimal | Moderate | High (requires tuning) |
| Recommended Internet Speed | Up to 2 Gbps | 10 Gbps+ | |
| Security Inspection Impact | Moderate | Low | Minimal (NP7 Processors) |
By verifying these baseline metrics, you reduce the risk of “flapping”-where a link appears up but cannot actually sustain the traffic load required by your SLA requirements.
Configuring SD-WAN member interfaces
The first hands-on step is defining your-member interfaces. In FortiOS, SD-WAN is not just a set of interfaces; it is a virtual interface—a “member” of a larger logical group. This grouping allows you actually to treat multiple physical connections as a single pool of bandwidth for certain types of traffic.
Step-by-step interface setup
To begin, navigate to Network > SD-WAN. You must first create an SD-WAN zone. While the default “virtual-wan-link” exists, we recommend creating custom zones (e.1g., “Internet_Zone” and “Private_MPLS_Zone”) to keep your security policies clean. Once the zone is created, add your physical interfaces as members.
- Select the Interface: Choose your WAN1 (e.g., Fiber) and WAN2 (e.g., LTE/5G or Broadband).
- Assign Gateways: For each member, you must provide the gateway IP address provided by your ISP. This is critical, as the SD-WAN engine uses these gateways to route probe packets.
- Configure Cost/Priority: While SD-WAN rules will eventually handle steering, setting initial administrative costs helps in the event that the SD-WAN engine is bypassed during troubleshooting.
Expert Tip: Always leave one interface “unmanaged” or as a backup. If you add all available links to the SD-WAN-zone, you might find it difficult to isolate a specific circuit for troubleshooting during a live outage.
Once the interfaces are added, your next task is to update your static routes. In a traditional setup, you would have a specific route for each WAN interface. In an SD-WAN environment, you should create a single 0.0.0.0/0 route that points toward the SD-WAN virtual interface rather than a specific physical interface. This allows the SD-WAN engine to take over the decision-making process for every packet exiting the network.
Setting up performance SLAs for intelligent steering
Without Performance SLAs (Service Level Agreements), your SD-WAN is nothing more than a basic load balancer. An SLA is a set of criteria—latency, jitter, and packet loss—that a link must maintain to be considered “healthy.” If a link’s performance falls below these thresholds, the FortiGate will dynamically steer traffic to a better link.
Defining the health check probes
Navigate to SD-WAN > Performance SLA. You will create a new SLA and select the targets you wish to monitor. It is a mistake to probe a local gateway; instead, probe a reliable external entity such as Google’s 8.8.8.8 or your corporate headquarter’s public IP. This ensures you are measuring true end-to-end performance through the ISP-provided path.
When configuring the probe, consider the following parameters:
- Protocol: Use ping for basic connectivity or HTTP/HTTPS if you want to test the ability of the link to handle web traffic (this is much more accurate for cloud application performance).
- Update Interval: How often the probe is sent. For mission-critical voice traffic, an interval of 500ms to 1000ms is recommended.
- SLA Thresholds: This is where the magic happens. You might set a threshold of < 150ms latency and < 1% packet loss for VoIP traffic.
The FortiGate uses these probes to maintain a real-time health map of your WAN-edge. If the probe fails or exceeds the threshold, the interface is marked as “dead” for that specific SLA, triggering the SD-WAN-rules to reroute traffic. This sub-second detection is what makes SD-WAN vastly superior to traditional BGP or OSPF convergence times in remote branch scenarios.
Defining SD-WAN rules for optimal traffic steering actually
Now that your links are configured and your SLAs are monitoring performance, you must tell the FortiGate how to use this intelligence. This is done through SD-WAN Rules. These rules are evaluated in top-down order, much like firewall policies. If a packet matches the criteria of the first rule, it is processed and the subsequent rules are ignored.
Creating effective steering policies
A well-designed SD-WAN policy set usually follows a hierarchy. You should prioritize high-value-added applications before generic web traffic. For example, your first rule should likely be for Real-time Voice/Video. For this rule, you would set the strategy to “Lowest Jitter” or “Best Quality,” instructing the FortiGate to steer traffic to whichever link currently meets your stringent SLA requirements.
The second tier of rules should target Critical Business Applications (e. actually,-SaaS tools like Office 365). Here, you might use a “Maximize Bandwidth” strategy, utilizing multiple-link load balancing to ensure high-speed access. The final, “catch-all” rule should be a default rule that sends all remaining traffic over your cheapest-available connection, such as a commercial broadband link.
To implement this, navigate to SD-WAN > SD-WAN Rules. When creating a rule, you can define the source (your local subnet) and the destination (either a specific IP range or an application identified via the FortiGuard database). The use of the FortiGuard-powered Application Control is essential here; it allows you to create rules based on application signatures rather than IP addresses, which is vital since most modern cloud services use dynamic IP ranges.
Integrating security profiles into the SD-WAN fabric
A common mistake made by engineers transitioning from traditional WAN to SD-WAN is treating the two as separate entities. In a legacy setup, you might backhaul all traffic via an MPLS to a central data center where a heavy firewall resides. In a modern SD-WAN setup, you are performing Local Internet Breakout (LIB). This means traffic goes directly from the branch to the internet, bypassing the central hub.
While LIB improves performance and reduces latency, it significantly expands your attack surface. You cannot simply route traffic to the internet without applying the same level of scrutiny as you would at your headquarters. This is where the “Secure” in SD-WAN becomes critical.
The best practices for integrated security
When you create your firewall policies to allow SD-WAN-destined traffic, you must attach security profiles. Because you are using direct internet breakouts, every branch is effectively a gateway to the web. Your policy should include:
- Anti-Virus: To prevent the download of malicious payloads at the branch level.
- Web Filtering: To prevent users from visiting high-risk domains that could lead to phishing attacks.
- IPS (Intrusion Prevention System): To detect and block attempts to exploit vulnerabilities in your branch devices.
- SSL Inspection: This is the most critical but often overlooked step. Most modern threats are delivered via encrypted HTTPS-based attacks. Without SSL inspection, your SD-WAN is blind to more than 80% of potential threats.
For those looking to scale this capability, implementing a SASE (Secure Access Service Edge) model is the natural next step. By utilizing Fortinet’s SASE offerings, you can extend these security policies to remote users who are not even on your physical network, ensuring a consistent security posture regardless of location.
Frequently asked questions
How does SD-WAN differ from traditional WAN routing?
Traditional WAN routing relies on static paths or protocols like BGP/OSPF based on hop counts or-administrative distances. SD-WAN uses real-time performance metrics (latency, jitter, packet loss) to make routing decisions, allowing for much more dynamic and application-aware traffic steering.
Can I use SD-WAN over an existing MPLS circuit?
Yes. In fact, many organizations use a hybrid approach. You can include your MPLS circuit as a member of the SD-WAN zone alongside internet connections, allowing you to use the MPLS for sensitive traffic and the internet for lower-priority web browsing.
What is the impact of SSL Inspection on SD-WAN performance?
SSL Inspection requires significant CPU resources. When planning your SD-WAN deployment, always choose a FortiGate model with hardware acceleration (NP/CP processors) that can handle the decryption and re-encryption of traffic without introducing significant latency.
How often should I tune my SD-WAN SLA probes?
Tuning is an ongoing process. As a baseline, aim for probes every 5-10 seconds. However, if you experience “flapping” (where a link is constantly marked up and down), you should increase the probe interval or the number of failed probes required before a link is declared down.
Conclusion
Deploying a secure SD-WAN architecture is a transformative step for any organization’s networking capability. By moving away from static,-inefficient routing and toward a dynamic, application-aware model, you ensure that your business remains productive even in the face of unpredictable internet performance. This tutorial has covered the essentials: from building a solid foundation with member interfaces, to the precision of SLA monitoring, and finally, the critical integration of security profiles to protect your branch breakouts.
Remember, a successful deployment is not a one-time event but a continuous process of monitoring and tuning. As your application mix changes, so too must your SD-WAN rules. For more technical deep-dives and hardware recommendations, explore our comprehensive network gear guides.
