Track SD-WAN.pdf

1
Secure SD-WAN Training
Michel Barbosa, NSE8
Paulo Raponi, NSE8
CSE LATAM

3
▪ 2 days workshop
▪ Starts at *9:00
▪ 15 minutes break at 11:00
▪ Lunch at 12:30
▪ Restarts at 13:30
▪ 15 minutes break at 16:00
▪ Ends at ~18:00
Schedule

4
Agenda
SD-WHAT ?
SD-WAN and the Digital Transformation
Use Cases
Real World Implementation
FORTIOS Secure SD-WAN

5
Agenda
FORTIMANAGER SD-WAN
FORTIANALYZER SD-WAN
Lab Introduction
Labs 1, 2 and 3

19
SD-WAN and the Digital
Transformation

20
Use of digital technology to solve traditional problems. These digital solutions
enable inherently new types of innovation and creativity, rather than simply enhance
and support traditional methods.
Most organizations are in the midst of some form of digital transformation (DX),
transforming how they bring products and services to the market
Digital Transformation
SaaS Applications and
Cloud Ready
Efficient Bandwidth for
Unified Communication
Better Integration
Simplify Operations

21
Existing WAN is an obstacle for Digital Transformation
Enterprise
Branch
WAN
MPLS
Data-Center
Internet
$300 - $600
Average Monthly cost of MPLS per Mbps
Source: Network World Enterprise WAN

22
Gartner: Security is Biggest WAN Concern
Security is the top concern during WAN initiatives,
followed by Application Performance
Gartner Survey Analysis: Address Security and Digital Concerns to Maintain Rapid SD-WAN Growth, Naresh Singh, 12 November 2018
Security is the Biggest WAN Concern
Security
Performance
Cost
Management: Visibility, monitoring
and troubleshooting
Availability
Meeting cloud/digital-specific
requirements
Lack of agility/flexibility
0% 40% 80%
Percentage of Respondents
Base: Total, excluding no specific concerns; n = 303
Q07: What the top three biggest concerns (if any) with your overall WAN today?
ID: 355369
First Choice Second Third Sum of Top Three
36% 21% 15%
16% 22% 19%
12% 15% 47%
11% 12% 12%
12% 12% 10%
10% 10% 12%
4% 9% 10%
72%
58%
47%
34%
34%
31%
22%

23
Secure Connectivity to Cloud
Dynamically distribute
business applications across
multiple WAN Links
Dramatically Simplifies
traditional WAN Complexity
Lightweight Replacement
of traditional routers
SD-WAN is the New WAN Edge Transformation
SD-WAN FUNCTIONALITY
SIMPLIFICATION

24
Secure SD-WAN in the age of Digital Transformation
Enhanced
application
experience
IT agility
Simpler
management
Lower cost
Faster
deployment
Security

25
Self Driving WAN for Business CentricApplications

26
Gartner’s 2018 Magic Quadrant for WAN Edge (SD-WAN)
Fortinet should be shortlisted for all
WAN edge opportunities globally,
The vendor’s vision and roadmap to
deliver increasing levels of automation
align with Gartner’s view of emerging
customer needs
Marked as a “Challenger” with
Furthest “Completion of Vision”

27
Fortinet is the ONLY vendor that can truly deliver
• #1 in QoE for VoIP
• 3rd party proven SD-WAN
• Best TCO for SD-WAN
• Only secure SD-WAN solution
* Quality of experience

29
SD-WAN - Key Use Cases
Reduce WAN OpEx
MPLS to Broadband
Transition
High Quality of Experience
for Unified Communication
Simplified Operations
Zero Touch Deployment at
Scale
Single pane of glass
management
Digital Transformation
Business Applications
Steering with low latency
Top rated threat protection
and detection for Direct
Internet Access
Network
Security
Network
Operations
Security
Operations

30
Transform your WAN Edge with Secure SD-WAN
Secure
SD-WAN
Purpose-Built Security Processor
Threat Intelligence
Zero Touch Deployment
Centralized Management and Analytics
Web
Filtering
IPS
Anti
Malware
Cloud
Sandbox
Application
WAN Path
Controller
Routing
WAN
Optimization
FortiOS

31
Extend Secure SD-WAN to SD-Branch
Security Driven Network
Security extended to the
access layer
Enable Global Security
Policies and Enforcement
Simplified Operations
Zero Touch Deployment at
Scale
Single pane of glass
management
Integration of SD-WAN and LAN
Branch Services
Management Integrated
Enable automation,
improve visibility
Network
Security
Network
Operations
Security
Operations
Secure
Access

32
• Deeper Integration between WAN and LAN
• Extended Security for the entire branch
• Single Monitoring & Management for entire
branch
Fortinet Secure SD-Branch
Wireless Controller Switch Controller FortiLink
Purpose Built Security
Processor SSL-Inspection
Broad Integrated
Automated
FortiGate NGFW SD-WAN
FortiManager FortiDeploy
Single Pane of Glass
NOC/SOC

33
Fortinet Security Fabric
Enables Security Driven Networking WAN Edge
Network
Security
Network
Operations
Multi-Cloud
Security
Endpoint/Device
Protection
Secure
Access
Application
Security
Fabric
APIs
Fabric
Connectors
Security
Operations
AUTOMATED
Operations, Orchestration &
Response
INTEGRATED
AI-driven breach prevention
across all devices, networks,
and applications
BROAD
Visibility of the entire
digital attack surface

SD-WAN Real World
Implementation

35
Enterprise SD-WAN
Internet SaaS – Application Aware + Path Awareness Intelligence
Internet
ISP-B
Internet
ISP-A
Critical Apps
Best path is chosen depending
on latency, jitter & packet loss
Critical Apps
Redirected to a new link in case the
WAN conditions are better than the
threshold
Office
Not Business App
Less priority. QoS
ADSL
4G LTE

36
Enterprise SD-WAN
MPLS backup with local breakout
MPLS
Branch
HQ
MPLS Dependency
Inflexible, expensive, good
QoS
Critical Apps & Secure access
Redundant path through IPSec
VPN
Direct secure access to Internet,
SaaS and IaaS content
NGFW + SSL Inspection
Internet
ADSL
MPLS

37
Enterprise SD-WAN
Centralized Internet Management
Retail
Retail
MPLS
Internet
Internet
Internet
Internet
Internet
Central Traffic Management
Route all the traffic through HQ
HQ
Secure access to Internet, SaaS
and IaaS content
NGFW + SSL Inspection – Load
balance if needed.
Aggregate tunnel
Aggregate tunnel
ADSL
MPLS
Dedicated
Central
Management

38
Enterprise SD-WAN
Redundant Hybrid / Public Cloud
Branch
Internet
MPLS
Internet
Health-Check
Link Fail Detected
Redundant Access
Traffic through HQ
HQ
Dynamic
Routing
ADSL
MPLS
Dedicated

39
© Fortinet Inc. All Rights Reserved. 39
FortiOS SD-WAN Evolution

40
2.8 3.0 5.2 5.4 5.6 6.0 6.2
Policy Route ✓ ✓ ✓ ✓ ✓ ✓ ✓
Equal-cost multipath (ECMP) ✓ ✓ ✓ ✓ ✓ ✓
Dead Gateway Detection ✓ ✓ ✓ ✓ ✓ ✓
Wan Link Load Balance ✓ ✓ ✓ ✓ ✓
Zero Touch ✓ ✓ ✓ ✓ ✓
ISDB ✓ ✓ ✓ ✓
Best Path Selection ✓ ✓ ✓ ✓
SD-WAN Interface ✓ ✓ ✓
Security Fabric ✓ ✓ ✓
Minimum SLA enforcement link steering ✓ ✓
Application Control ✓ ✓
FortiManager Template and Monitor ✓ ✓
IPv6 ✓ ✓
Dynamic Routing (BGP) ✓ ✓
Interface percentage based traffic shaping ✓ ✓
Forward Error Correction ✓
SD-WAN rule load balance ✓
Per packet load balance ✓
Additional BGP path ✓
ADVPN ✓
Cloud-Assist Monitoring ✓
Factory default health checks ✓
FortiOS SD-WAN - Evolution

41
FortiOS SD-WAN
SD-WAN Interface

42
FortiOS SD-WAN
Interface Members
Enable or Disable the sd-wan virtual interface
Configure all Interfaces and Gateways (IPv4 and IPv6*)
members that will be used in SD-WAN.
Support physical, VLAN, IPSec, 3G/4G and FortiExtender
interfaces (up to 254 interfaces)
SD-WAN usage dashboard. Statistics only

43
FortiOS SD-WAN
Interface Bandwidth
inbandwidth/outbandwidth (kbps) needs
be configured for SD-WAN Rule usage as
Downstream, Upstream and Bandwidth -
Best Quality options and Shaping settings.
Estimated Bandwidth (kbps) needs to be
configured as the same value of
inbandwidth/outbandwidth below.

44
FortiOS SD-WAN
Dual VPN Tunnel to Data Center

45
FortiOS SD-WAN
IPsec VPN Wizard
Inside the SD-WAN configuration,
you can start a VPN wizard to
create automatically multiple VPN
Overlay tunnels to a HUB site
You can choose multiple Interfaces. All
Phase1, Phase2 will be created and
added to the SD-WAN configuration.

46
FortiOS SD-WAN
Basic Config - Static Routing
You need to add a route to SD-WAN interface to
install the SD-WAN interface in the routing table.
Load balancing algorithm will not work otherwise.
FortiGate automatically add
the Default Gateway
addresses from SD-WAN
interface configuration

47
FortiOS SD-WAN
Basic Config - Firewall Policy
Aggregate multiple interfaces into a single
SD-WAN interface and apply a security policy
across all.
sd-wan virtual interface will be
available as source interface and
destination interface in Firewall Policy

48
FortiOS SD-WAN
Performance SLA

49
FortiOS SD-WAN
Performance SLA
IP Version: IPv4 or IPv6
Protocol: Use ping or http to test the link with the server
Server: IP address or FQDN name of the server. If two
servers are configured, both needs fail to link be detected
as offline
Participants: Interfaces members for this health-check
SLA Targets (optional). Used in SD-WAN Rule SLA Strategy
Status check interval, or the time between attempting to
connect to the server
Number of failures before server is considered lost
Number of successful responses received before server is
considered recovered
Enable/disable updating the static route
When enabled and health-check fail, FortiOS will disable
static routes for inactive interfaces

50
FortiOS SD-WAN
Performance SLA – Recommended Values

51
FortiOS SD-WAN
Performance SLA - HTTP protocol additional settings
config system virtual-wan-link
config health-check
edit "test-link"
...
set server : "www.google.com"
set protocol : http
set port : 80
set http-get : /
set http-match :
...
next
end
end
▪ protocol: http
▪ port: Port number used to communicate with the server over the
selected protocol
▪ http-get: URL path used to communicate with the server if the protocol
if the protocol is HTTP
▪ http-match: Response string expected from the server if the protocol is
HTTP. Use blank to accept any

52
FortiOS SD-WAN
Performance SLA – Dashboard
▪ Performance SLA data is for the last 10 minutes.

53
FortiOS SD-WAN
Performance SLA - SNMP Support
FG # diag sys virtual-wan-link health-check
Health Check(ping):
Seq(1): state(alive), packet-loss (0.000%) latency (0.381), jitter(0.024) sla_map=0x0
Seq(2): state(alive), packet-loss (0.000%) latency (0.700), jitter(0.084) sla_map=0x0
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkState.1 = INTEGER: alive(0)
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkState.2 = INTEGER: alive(0)
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkLatency.1 = STRING: 0.381
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkLatency.2 = STRING: 0.700
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkJitter.1 = STRING: 0.024
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkJitter.2 = STRING: 0.084
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketSend.1 = Counter64: 8409
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketSend.2 = Counter64: 8409
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketRecv.1 = Counter64: 8359
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketRecv.2 = Counter64: 8336
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketLoss.1 = STRING: 0.000
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkPacketLoss.2 = STRING: 0.000
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkVdom.1 = STRING: root
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkVdom.2 = STRING: root
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthIn.1 = Counter32: 100
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthIn.2 = Counter32: 100
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthOut.1 = Counter32: 100
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthOut.2 = Counter32: 100
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthBi.1 = Counter32: 200
FORTINET-FORTIGATE-MIB::fgVWLHealthCheckLinkBandwidthBi.2 = Counter32: 200
Same results from CLI you can get from
a SNMP client with FortiGate-MIB

54
• Go to Lab Introduction and 1.1
GOTO

55
FortiOS SD-WAN
SD-WAN Rules

56
FortiOS SD-WAN
Rules
▪ SD-Wan rules are top down. The order is important
▪ If no rule match, the implicit rule will be used
▪ Each rule is a “policy route” inside FortiOS

57
FortiOS SD-WAN
Rules
Source (optional) fields. Accept IP/Mask and User Group
Destination address, protocol, Internet Service and
Application Control
Outgoing interfaces can be selected based on Manual,
Best Quality, Lowest Cost (SLA) and Maximize Bandwidth

58
FortiOS SD-WAN
Rules – Implicit Rule
Implicit catch all the bottom decides how to
distribute remainder of traffic:
▪ Source IP
▪ Sessions
▪ Spillover
▪ Source-Destination
▪ Volume

59
FortiOS SD-WAN Rules – Implicit RuleAlgorithms
How it works?
Source IP: The source IP algorithm tries to equally divide the traffic between the interfaces included in the virtual WAN
interface. It use the connection criteria of the source IP address as a way of sorting the traffic.
Sessions: The session algorithm uses an integer value to assign a weight to each interface. The difference is that the
number of sessions connected is what is being measured and not the packets flowing through the interfaces.
Spillover: Is a method where a threshold is set for an interface (in kbps) and if the amount of traffic bandwidth
exceeds the threshold any traffic bandwidth beyond that threshold is sent out through another interface.
Source-Destination: The source-destination IP algorithm tries to equally divide the traffic between the interfaces
included in the virtual WAN interface. It use the connection criteria of the source and destination IP address
combinations as a way of sorting the traffic.
Volume: This is a very straight forward method of distributing the work load based on the amount of packets going
through the interfaces. An integer value assigns a weight to each interface. These weights are used to calculate a
percentage of the total volume that is directed to the interface.

60
FortiOS SD-WAN Rules – ISDB
Rules – Internet Service Database
ISDB as Rule Destination
Internet Service Database
▪ Dynamically updated (by FortiGuard)
database of known service IPs, ports
and protocols
▪ Layer 4
FG # diagnose internet-service match root 8.8.8.8 255.255.255.255
Internet Service: 65539(Google-DNS), matched num: 1
Discover Internet Service
name by IP

61
FortiOS SD-WAN Rules – Application Control
Rules – Application Control
2100+ Application Signatures (Layer 7) to
use as Destination
Application Control
▪ Dynamically updated database
of applications
▪ Signature
▪ Layer 7
Applications with the icon requires
SSL Deep Inspection

62
• You need to add an Application Control profile in a firewall policy
• After the first packets are detected by Application Control engine, FortiOS will
create a local, dynamic ISDB with destination IPs and Ports relevant to that
signature. YouTube example:
Rules – Application Control - How it works?
FG # diagnose sys virtual-wan-link internet-service-ctrl-list
Ctrl application(YouTube 31077):Internet Service ID(4294836224)
Protocol(6), Port(443)
Address(6): 172.217.28.86 187.181.68.45 172.217.30.33 216.58.202.142
172.217.28.142 209.85.224.201
Ctrl application(YouTube_Video.Play 38569):Internet Service ID(4294836225)
Protocol(6), Port(443)
Address(2): 187.181.68.45 209.85.224.201
FG # diagnose sys virtual-wan-link internet-service-ctrl-flush
List all IPs/Ports for the
dynamic database
Clear the dynamic
database (if needed)

63
▪ For Google signatures (like YouTube) you need to block QUIC
▪ Require FortiCare subscription for signature update
Rules – Application Control - How it works?

64
SD-WAN Rule Strategy – Manual

65
FortiOS SD-WAN Rules
Strategy – Manual
The Manual Strategy:
Assign interfaces a priority manually.
Only one Interface option.

66
SD-WAN Rule Strategy – Best Quality

67
Strategy – Best Quality
The Best Quality Strategy:
FortiGate use the link providing the best network quality
based on Latency, Jitter, Packet Loss, Downstream,
Upstream, Bandwidth and custom-profile
When the difference between two links is within the amount
that you configure for the link-cost-threshold (CLI) %, the
FortiGate uses the link with the higher priority, which is the
first member in the priority-members list
config service
edit "test-link"
set link-cost-threshold 10
...

68
link-cost-threshold - How it works ?
set link-cost-threshold {integer} Percentage threshold
change of link cost values that will result in policy
route regeneration (0 - 10000000, default = 10).
Purpose of the link cost threshold is to prevent flapping between networks so that if a fail-over happens, fail-
back will only occur once the recovering network is 10% (default) better than the current network. Reason for
the > 100 value is that some times you may want to only switch we need to switch back the route when
member WAN1 quality is 5 times better of WAN2. So we might need to configure link-cost-factor as 500.

69
link-cost-threshold - How it works ?
60
70
80
90
100
110
120
130
140
Wan1 Wan2
85
Latency
(ms)
100
130
75
92
Wan1 Wan1 Wan2 Wan2
--- link-cost-threshold
“set link-cost-threshold 10”

70
• Latency
• Select link based on (smaller) latency
• Jitter
• Select link based on (smaller) jitter
• Packet Loss
• Select link based on (smaller) packet loss
• Downstream*
• Select link based on available bandwidth from
download usage
• Upstream*
upload usage
• Bandwidth*
download and upload usage
FortiOS SD-WAN Rules – Best Quality
Best Quality Quality criteria – How it works ?
For Downstream, Upstream and Bandwidth the value is based on “inbandwidth/outbandwidth” in interface setting.
If not set, will use physical speed minus current usage.

71
• Latency
• How much time it takes for a packet of data to get from one designated point to another.
• Less Latency = Better throughput
• Issues: Slow access, connection failure
• Recommended for applications that require best response time. Example: Video/VoIP
• Jitter
• Is the variance in time delay in milliseconds (ms) between data packets over a network. It is a
disruption in the normal sequence of sending data packets. Jitter is generally caused by
congestion in the IP network
• Issues: Delay in real time applications
• Recommended for application that require effective packet delivery. Example: VoIP
Quality criteria - Use Cases

72
• Packet Loss
• Occurs when one or more packets of data travelling across a computer network fail to reach their
destination.
• Issues: Out-of-date information, slow loading times, loading interruptions, Closed connections and
missing information.
• Recommended: Client-Server applications like Oracle DB and SSH
• Downstream
• Process of copying data from another computer over a network
• Issues: Slow access
• Recommended: Applications that needs network resources to download data. Example: File
Server, Cloud Storage (Dropbox, OneDrive)

73
• Upstream
• Process of copying data to another computer over a network
• Issues: Slow transfer times, unable to complete upload
• Recommended: Applications that needs network resources to upload data. Example: Backup
systems
• Bandwidth
• Sum of downstream + upstream
• Recommended: Applications that needs network resources to upload and download data.
Example: File Server, Cloud Storage (Dropbox, OneDrive)

74
• latency-weight - Coefficient of latency in the formula
• jitter-weight - Coefficient of jitter in the formula
• packet-loss-weight - Coefficient of packet-loss in the formula
• bandwidth-weight - Coefficient of reciprocal of available bidirectional bandwidth in the formula
Best Quality – Custom Profile
Link Quality Index = (packet-loss-weight * packet loss) + (latency-weight * latency) + (jitter-weight * jitter) + (bandwidth-weight / bandwidth)
custom-profile1 calculates the best
link using the following formula (useful
for micro-managing the most critical
applications flowing in an enterprise
network).

75
SD-WAN Rule Strategy – Lowest Cost (SLA)

76
Lowest Cost (SLA)
The Lowest Cost (SLA) strategy for SD-WAN:
FortiGate will choose the best link for outgoing traffic based on
SLA Targets profile
If all links meet the SLA criteria, the FortiGate uses the first link,
even if that link isn’t the best quality link. If at any time, the link in
use doesn’t meet the SLA criteria, and the next link in the
configuration meets the SLA criteria, the FortiGate changes to
that link.
Performance SLA profile SLA Target:

77
SD-WAN Rule Strategy – Maximize Bandwidth (SLA)

78
FortiOS SD-WAN
Maximize Bandwidth (SLA)

79
Maximize Bandwidth (SLA)
The Maximize Bandwidth (SLA) strategy for
SD-WAN:
Traffic is distributed among all links that
satisfy SLA and forwarded based on a
round-robin load balancing algorithm.

80
SD-WAN Rule – Hold Down Time

81
Rules – Hold Down Time
config service
edit 1
set hold-down-time 60
...
A hold time parameter and defines the first member link as the primary link, the others as the back-up
links. In case, the primary link downgrade its quality, the service will switch to the back-up links
without hold.
In case active back-up links downgrade with lower quality with primary link, this downgraded states
should keep hold-time seconds, and then switch back to primary link. Otherwise, the backup links
keep its active state.
Per SD-WAN rule. Default 0

82
• Go to Lab 1.2 and 1.3
GOTO

83
FortiOS SD-WAN
Advanced Features

84
Traffic Shaping

85
FortiOS SD-WAN
Traffic Shaping
▪ SD-WAN interface available as Traffic Shaping
outgoing interface
▪ Shared and per-ip shaper
Traffic Shaping
▪ L7 Analysis for Shaping rules based on
Users, Apps, URLs…
▪ Use App Classification to control,
bandwidth reservation, limitation, Diffserv
marking and prioritization

86
Traffic Shaping – Interface Based

87
FortiOS SD-WAN
Interface Based Traffic Shaping
This feature introduces the concept of shaping-profile to be attached on a 'system.interface' to shape
traffic of an interface. Each shaping-entry of a shaping-profile defines the Percentage of the interface
bandwidth that can be allocated for one type of classified traffic, as well as priority of that type of traffic;
while traffic is classified by shaping-policy entries.
With the presence of SD-WAN (virtual-wan-link), shaping-profile entries make shaping more flexible.
Since SD-WAN can direct traffic to any links, which may have different bandwidth, defining the
percentage of interface bandwidth for each classified traffic makes more sense.

88
FortiOS SD-WAN
1. Traffic Classification
▪ Shaping Policies are used to classify traffic into different "shaping groups" or "class-id"
2. Prioritizing Traffic
▪ Shaping profiles define how different groups or classes of traffic should be prioritized.
▪ For each group, traffic is provided for all traffic that does not match any other group.
3. Assigning Shaping Profiles
▪ Shaping profiles can be used on an interface
▪ Shaping profile will use the interfaces outgoing bandwidth as the maximum link speed
▪ Only work when outgoing bandwidth is configured

89
FortiOS SD-WAN
▪ Enable Assign Group
▪ Destination Interface
▪ Shaping Group (class-id)

90
FortiOS SD-WAN

91
FortiOS SD-WAN
1. Enable the Default Shaping Group and select one class-id
2. Total sum of guaranteed bandwidth percentage must be
less than 100%
Use to add more Shaping Groups

92
FortiOS SD-WAN
Attach the Shaping Profile to the outgoing interface

93
• Go to Lab 1.4, 2.1, 2.2 and 2.3
GOTO

94
BGP Tags

95
“BGP communities provide additional capability for tagging routes and for modifying
BGP routing policy on upstream and downstream routers. BGP communities can be
appended, removed, or modified selectively on each attribute as the route travels from
router to router”
▪ BGP Tags can be used as dynamic SD-WAN rule
FortiOS SD-WAN
BGP Tags

96
The network admin wants Web server traffic to always use the Best Quality link from
Branch’s to DC1. The Web servers are containers deployed using dynamic (DHCP) IP
address.
FortiOS SD-WAN
BGP Tags – Use Case
DC1
Branch 1
Branch 2
AS 64520
iBGP
10.10.2.0/24
community 30:5
Web Servers
BGP
update
BGP
update

97
FortiOS SD-WAN
BGP Tags – Spoke Configuration
config router router-map
edit "comm1"
config rule
edit 1
set match-community "30:5"
set set-route-tag 15
next
...
config router bgp
set as 64520
set router-id 1.2.3.4
config neighbor
edit “10.1.1.1”
set remote-as 64520
set route-map-in "comm1"
next
...
...
config service
edit 1
set name "DataCenter“
set mode priority
set link-cost-factor latency
set router-tag 15
...
Router map to match
the community and
set the tag
Define the community
in the neighbor
configuration
Create the SD-WAN rule using
the router tag

98
FortiOS SD-WAN
BGP Tags – Debug
FG # get router info bgp network 10.100.10.0
BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
...
10.100.1.5 from 10.100.1.5 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5
...
FG # get router info route-map-address
Extend-tag: 15, interface(port15:16)
10.100.10.0/255.255.255.0
FG # diag sys virtual-wan-link service
Service(1): flags=0x0
TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), …
Members:
1: Seq_num(1), alive, jitter: 0.400, selected
2: Seq_num(1), alive, jitter: 0.400, selected
Route tag address: 10.100.10.0/255.255.255.0

99
BGP – Additional Path

100
▪ Until FortiOS 6.0, the Hub (or the Router Reflector in the ADVPN) can only advertise
the latest receive prefix to the spokes.
▪ Now, FortiOS 6.2 supports the RFC 7911 - Advertisement of Multiple Paths in BGP
FortiOS SD-WAN
RFC 7911 Abstract
This document defines a BGP extension that allows the advertisement of
multiple paths for the same address prefix without the new paths implicitly
replacing any previous ones. The essence of the extension is that each
path is identified by a Path Identifier in addition to the address prefix.

101
FortiOS SD-WAN
config router bgp
set as 65505
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor-group
edit "gr1"
set capability-default-originate enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.0.0 255.255.0.0
set neighbor-group "gr1"
next
end
config network
edit 12
set prefix 11.11.11.11 255.255.255.255
next
end
end
config router bgp
set as 65505
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor
edit "10.10.100.254"
set soft-reconfiguration enable
set remote-as 65505
next
edit "10.10.200.254"
set soft-reconfiguration enable
set remote-as 65505
next
...
HUB SPOKE

102
FortiOS SD-WAN
FG # get router info routing-table bgp
Routing table for VRF=0
B* 0.0.0.0/0 [200/0] via 10.10.200.254, vd2-2, 03:57:26
[200/0] via 10.10.203.254, vd2-3, 03:57:26
[200/0] via 10.10.204.254, vd2-4, 03:57:26
[200/0] via 10.10.100.254, vd2-1, 03:57:26
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
B 11.11.11.11/32 [200/0] via 10.10.200.254, vd2-2, 03:57:51
[200/0] via 10.10.203.254, vd2-3, 03:57:51
[200/0] via 10.10.204.254, vd2-4, 03:57:51
[200/0] via 10.10.100.254, vd2-1, 03:57:51

103
• Go to Lab 2.4 and 2.5
GOTO

104
Forward Error Correction

105
FortiOS SD-WAN – WAN Path Remediation
Forward Error Correction (FEC)
A B C D A B C D
A
B
C
D
A
C
D
Jitter
Buffer
Reconstruct
Loss
Original Payload Recovered Payload
Sending FortiGate Receiving FortiGate
X
Overlay Tunnel
FEC Recovery Packet
What it does:
Allows for dynamic
remediation of packet loss
or erroneous data caused
by adverse WAN conditions

106
FortiOS SD-WAN
Forward Error Correction
Overlay Tunnel
Sending FortiGate Receiving FortiGate

107
FortiOS SD-WAN
Forward Error Correction – CLI configuration
config vpn ipsec phase1-interface
edit toDC1
...
set fec-ingress enable
set fec-egress enable
set fec-base 20
set fec-redundant 10
set fec-send-timeout 8
set fec-receive-timeout 5000
...
end
end
▪ fec-ingress: Enable FEC for ingress IPsec traffic.
▪ fec-egress: Enable FEC for egress IPsec traffic.
▪ fec-base: Number of base FEC packets (1 – 100)
▪ fec-redundant: Number of redundant FEC packets (1 – 100)
▪ fec-send-timeout: Timeout in milliseconds before sending
FEC packets (1 – 1000)
▪ fec-receive-timeout: Timeout in milliseconds before dropping
FEC packets (1 – 10000)

108
FortiOS SD-WAN
Forward Error Correction – Parameters
set fec-base 20
set fec-redundant 10
set fec-base 2
set fec-redundant 4
It sends 10 redundant packets for every 20 packets. So, the bandwidth usage is
1.5 times as normal. It may introduce 8ms + 8ms round trip latency at most.
Sends 4 redundant packets for every 2 packets, with extra round trip latency of at
most 1ms + 1ms
The default config 20:10, can help the packet loss ratio be lower from 20% to 2.5% and 10% to 0.01%
If the packet loss ratio is 2%, then the recommended config is 20:4 to low packet loss to 0.01%
FEC packets carry a overhead of 52 bytes for IPv4 and 72 bytes for IPv6. This is due to a new IP header +
UDP header + FEC header being added

109
FortiOS SD-WAN
Forward Error Correction - Debug
FG # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=demo ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600
options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec-egress: base=20 redundant=10 remote_port=50000
fec-ingress: base=20 redundant=10
proxyid=demo proto=0 sa=1 ref=2 serial=1
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:173.1.1.0/255.255.255.0:0
...
FEC uses UDP port 50000 over IPsec
tunnels to transmit the control packets

111
Per Packet Load Balance

112
FortiOS SD-WAN
Per packet load balance
A B C D A C D
Payload Payload
Spoke HUB
What it does:
Providing link redundancy
and bandwidth aggregation
IPSec Tunnel A
IPSec Tunnel B
A
B
C
D
B
10 Mbps
15 Mbps
25Mbps
Throughput

113
▪ Configure 2 IPSec tunnels using different WAN links
▪ Phase 1 tunnel type must be static or ddns and the net-device disabled
▪ Add the “aggregate” interface in the SD-WAN settings.
FortiOS SD-WAN
Per packet load balance - Config
config system ipsec-aggregate
edit agg1
set name agg1
set member "vpn1" "vpn2"
set algorithm round-robin
end
end
algorithm:
▪ round-robin: Per-packet round-robin distribution
▪ L3: Use layer 3 address for distribution
▪ L4: Use layer 4 information for distribution
▪ redundant: Use first tunnel that is up for all traffic

11
4
ADVPN (Auto Discovery VPN)

115
▪ Fortinet Auto Discovery VPN (ADVPN) allows to dynamically establish direct tunnels
(called shortcuts) between the spokes of a traditional Hub and Spoke architecture.
▪ After a shortcut tunnel is established between two spokes and routing has
converged, spoke to spoke traffic no longer needs to flow through the Hub. Direct
connectivity is provided.
▪ Fortinet ADVPN was introduced in FortiOS 5.4 but not support SD-WAN until
FortiOS 6.2.
FortiOS SD-WAN
ADVPN

117
Hub:
1. Create the IPSec VPN with auto-discovery-sender and tunnel-search parameters
2. Create a firewall policy to allow traffic from hub to spokes
3. Configure the BGP (router reflector)
Spoke:
1. Create the IPSec VPN with auto-discovery-receiver parameter
2. Create a firewall policy to allow traffic from spoke to spokes and spoke to hub
3. Configure the BGP
4. Configure the SD-WAN Rules
FortiOS SD-WAN
ADVPN Configuration Step

118
FortiOS SD-WAN – ADVPN
edit "advpn-hub"
set type dynamic
set interface "port9"
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set tunnel-search nexthop
next
end
edit "advpn-hub"
set phase1name "advpn-hub"
next
end
config firewall policy
edit 1
set srcintf "advpn-hub"
set dstintf "port10"
set srcaddr "all"
set dstaddr "11.11.11.0"
set service "ALL"
next
edit 2
set srcintf "advpn-hub"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
next
end
config system interface
edit "advpn-hub"
set ip 10.10.100.254 255.255.255.255
set remote-ip 10.10.100.253 255.255.255.0
next
end
config router bgp
set as 65412
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65412
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.100.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
end
end
Hub Configuration

119
edit "spoke1"
set interface "wan1"
set net-device enable
set auto-discovery-receiver enable
set remote-gw 11.1.1.11
next
edit "spoke1-2"
set interface "wan2"
set net-device enable
set auto-discovery-receiver enable
set remote-gw 11.1.2.11
set monitor "spoke1"
next
end
edit "spoke1"
set phase1name "spoke1"
set auto-negotiate enable
next
edit "spoke1-2"
set phase1name "spoke1_backup"
set auto-negotiate enable
next
end
config firewall policy
edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "spoke1" "spoke1-2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound_advpn"
set srcintf "spoke1" "spoke1-2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
next
end
Spoke Configuration

120
config system interface
edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
edit "spoke1-2"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end
config router bgp
set as 65412
config neighbor
edit "10.10.100.254"
set advertisement-interval 1
set remote-as 65412
next
edit "10.10.200.254"
set advertisement-interval 1
set remote-as 65412
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
end
end
set status enable
config members
edit 1
set interface "vd2-1"
next
edit 2
set interface "vd2-2"
next
end
config health-check
edit "ping"
set server "11.11.11.11"
set members 1 2
end
next
end
config service
edit 1
set member 1
set dst "001-100"
next
edit 2
set member 2
set dst "100-200"
next
end
end
Spoke Configuration

121
Routing Changes and SNAT

122
After a routing change a session for a particular communication goes via the wrong
interface and/or firewall policy, it is probably due to keepalive traffic. The result is that
sessions do not expire and by default the FortiGate does not flush routing information
for those sessions.
▪ After a routing change, routing information is flushed from the affected sessions
where source NAT (SNAT) is not applied.
✓ Routing lookups are done again for the next packets.
✓ Route cache entries are removed.
✓ RPF check is done again for the first packet in the original direction.
✓ Session is flagged as dirty.
FortiOS SD-WAN

123
FortiOS SD-WAN
FG # get sys session list
session info: proto 1 porto state 00 duration 411 expire 56 timeout 0 flags 00000 sockflag=00000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=dirty may_dirty
statistic(bytes/packets/allow_err): org=17160/286/1 reply=16080/26841 tuples=2
speed(Bps/kbps): 98/0
orgin->sink: org pre->post, reply pre=post dev=9->0/0 gw=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.4.0.1:1->10.1.0.1:8(0.0.0.0:0)
In sessions where SNAT is applied, the action depends on the following setting (which is disabled by default):
config system global
set snat-route-change enable
end
Example of a session just after a routing change:

124
ECMP max paths

125
▪ SD-WAN uses ECMP to distribute traffic to the same destination such as the
Internet or another network. Using ECMP you can add multiple routes to the
destination and give each of those routes the same distance and priority.
▪ The default setting for the number of max ECMP paths allowed by a FortiGate is
based on the FortiOS version. This is the setting from your configuration:
FortiOS SD-WAN
ECMP max paths
< 6.0 6.2.0 >= 6.2.1
ECMP max path 10 / 100 100 /100 255 / 255
config system settings
set ecmp-max-paths 255
end

126
FortiOS SD-WAN
Zero Touch Deployment

127
Order the FortiGates along with a FortiDeploy SKU
Fortinet registers your devices in FortiCloud
Assign FortiManager IP to registered devices
Provision your devices in FortiManager
Deployed device will get its full configuration from FortiManager
Deployed device will fetch its management details from FortiCloud
FortiOS SD-WAN
Zero Touch Provisioning – How it works ?
Customer
FortiCloud
FortiCloud
FortiManager FortiGate
Fortinet

128
FortiOS SD-WAN
Zero Touch Provisioning – Step-by-Step
Order the FortiGates along with a FortiDeploy SKU

129
FortiOS SD-WAN
Fortinet registers your devices in FortiCloud

130
FortiOS SD-WAN
Deployed device will fetch its management details from FortiCloud
0: config system central-management
0: set type fortimanager
0: set fmg 192.168.194.62
0: set mode normal
0: config system fortiguard
0: set service-account-id "tiger_sophia@fortinet.com"
0: end
[...]
FG # diagnose debug cli 8
FG # diagnose debug enable
[...]

133
▪ SD-WAN Central Template
• You can centrally provision SD-WAN templates by specifying SD-WAN interface members, WAN
link performance criteria, and application routing priority
▪ SD-WAN Monitoring
• Map View displays SD-WAN enabled devices on Google Map with color coded icons. Mouse over
to view health performance statistics for each SD-WAN link member
• Table View provides more granular information on each SD-WAN link member such as link status,
applications performance and their bandwidth usage
• Monitor summary with Bandwidth Overview, Latency, Jitter and Packet Loss
FortiManager SD-WAN
Feature Support

134
FMG - Central Template

135
As of version 6.2, you can import the FortiGate SD-WAN config or create a new
template:
1. Create the Health-Check servers
2. Create the Interface Members
3. Create the SD-WAN Template
4. Assign the Template to the Device(s)
FortiManager SD-WAN
Central Template

136
FortiManager SD-WAN
Central Template

137
FortiManager SD-WAN
Central Template

138
FortiManager SD-WAN
Central Template

139
FortiManager SD-WAN
Central Template

140
FMG - Monitor

141
FortiManager SD-WAN
Monitor – Map View

142
FortiManager SD-WAN
Monitor – Map View Details

143
FortiManager SD-WAN
Map View

144
FortiManager SD-WAN
Table View

145
FortiManager SD-WAN
Table View
Graphic per
Performance SLA

147
▪ Performance SLA results related to interface selection, session failover, and other
information, can be logged. These logs can then be used for long-term monitoring of
traffic issues at remote sites, and for reports and views in FortiAnalyzer.
▪ The time intervals that Performance SLA fail and pass logs are generated in can be
configured.
FortiAnalyzer SD-WAN
SLA Logging
config health-check
edit DNS.SERVER.ICMP
set sla-fail-log-period 60
set sla-pass-log-period 500
end
end
end
FortiOS side configuration. Inside each health-check profile
This information is also available on FortiOS CLI (without FAZ) using:
diagnose sys virtual-wan-link sla-log <performance-sla-name> 1

148
FortiAnalyzer SD-WAN
SLA Logging

149
SLAMonitoring via RESTAPI

150
▪ This feature adds the ability to monitor the SLA log information and interface SLA
information using the FortiOS REST API. This feature is also be used by
FortiManager as part of its detailed SLA monitoring and drill-down features.
SLAMonitoring via RESTAPI
https://172.172.172.9/api/v2/monitor/virtual-wan/interface-log
{
"http_method":"GET",
"results":[
{
"interface":"port13",
"logs":[
{
"timestamp":1547087168,
"tx_bandwidth":3447,
"rx_bandwidth":3457,
"bi_bandwidth":6904,
"tx_bytes":748875,
"rx_bytes":708799,
"egress_queue":[
]
},
...
Interface log command example

151
FortiOS CLI diagnose commands
FG # diagnose sys virtual-wan-link sla-log ping 1
Timestamp: Wed Jan 9 18:35:11 2019, vdom root, health-check ping, interface: port13, status: up,
latency: 0.698, jitter: 0.073, packet loss: 0.000%.
FG # diagnose sys virtual-wan-link intf-sla-log port13
Timestamp: Wed Jan 9 18:33:49 2019, used inbandwidth: 3208bps, used outbandwidth: 3453bps, used
bibandwidth: 6661bps, tx bytes: 947234bytes, rx bytes: 898622bytes.

152
• Go to Lab 2.6, 3.1, 3.2 and 3.3
GOTO

155
• The step-by-step tasks documented here will usually not explicitly define the default
parameters when you create a new configuration item, this however will be clearly
depicted on the images that follow each task.
• All VERIFY slides are optional and do not change the configuration or solution
provided for a given scenario
Lab Introduction
Details

156
• Single site
• Hub and Spoke
• One Hub, Two Spokes
• Dual Hub, Two Spokes
Lab Introduction
Overview - Scenarios

159
• Internet Cloud is a Linux that only routes the external networks (203.0.113.0/24) and
has real Internet connectivity
• All DC Internet links are static
• All Spokes Internet links are dynamic (DHCP)
• At each site there’s at least one Linux host that can be used for testing (ping, iperf,
etc)
Network Diagram
Details

160
• All FG passwords are blank, for other devices the password is always fortinet unless
specified otherwise
• DO NOT CHANGE any passwords
Network Diagram
Details

161
• You can access any device directly using the FortiPOC automatically created port
redirections.
Network Diagram
Details

162
• For SSH you may prefer to not use the built-in client and instead use your own
machine SSH client, in this case you just need to identify which SSH port was
mapped and use it instead, e.g. to access device DC01 you would connect this way:
Network Diagram
Details
$ ssh admin@FortiPOC_IP -p 10101

163
• Access your FortiPoC using HTTPS according to your student number:
Lab Access
Details - Sunrise
Sunrise Lab
Mexico Lab
#01 – 10.20.65.1
…
#20 – 10.20.65.60

164
Lab Access
Documentation
http://bit.ly/2WaAuJq

165
• The Lab Guide contains the scenario for each lab, the overview of required tasks to
complete, how to validate and the solution (step-by-step) for each lab.
• You may try to complete the lab based on the overview and the validation, if you
have any issues you can consult the solution for the exact steps required.
• Pay special attention to slides marked with a warning symbol, as those are the
steps most people overlook some detail and complete it wrong.
Lab Access
Documentation

166
Lab Access
Access Validation
• Access your FortiPoC using HTTPS according to your student number
• Credential is admin / <blank>
• Connect to Bastion_MGMT using HTTP

167
Lab Access
Access Validation
• You should be at the Bastion MGMT Website now
• Go to WAN Emulator section
• APPLY Lab 1.1 network conditions

169
You were hired as a new Cyber Security and Network Specialist on the small ACME
company, based on Sunnyvale. You arrive on your first day at work and they give you the
firewall's credentials and report that some users are already complaining about accessing
the main corporate website (which is hosted on a public cloud provider) and are asking
you to fix the situation.
The corporate website is acme.inet, users commonly download spreadsheets with
updated financial data from the website all day. Users also reported that sometimes the
site simply does not load, so they have to keep retrying it during the workday, they also
report that they have problems downloading large files that are generated at the end of the
day.
Lab 01 – Single Site
Scenario Description

170
Currently the bandwidth of your main internet link is 15 Mbps, the company just recently
acquired a new backup internet link of 15 Mbps, upload bw is also 15 Mbps on both
links. The website goes for planned maintenance every day at 22h and returns at 04h, you
also use your provider's DNS server which is know for its incredible stability and
reliability.
The previous engineer gave you the current topology and access to the company
FortiManager, that he never used and since you only have one firewall your boss told you
that you should only use the FortiManager as a log repository for now.

171
Network Diagram
.1
.9

172
• Pre-configured parameters on DC01
• Hostname, Admin Timeout, GUI Theme, Lat/Long, Dashboard
• IP Addressing, alias and zones for all interfaces
• DHCP Server on port5
• Static Route to Internet over INTERNET_A only
• Common Firewall Objects
• Firewall policy from LAN to INTERNET
• Logging to FMG01
Initial Config

173
Lab 01.1
Time to Complete: 30m

174
Identify what is the root cause of the issue reported by your users when accessing the
acme.inet website. You're not authorized to enable the secondary interface at this point.
You may want to check if the site is available using ping from T1-DC01, to assess what's
happening when there's an outage.
• Objectives
1. Create Performance SLA’s to help you identify the issue
2. Create interface bandwidth widgets to help you identify the issue
3. Send logs to FortiManager
4. Enable additional SD-WAN logs
5. Enable Security Fabric
Lab 01.1
Identifying the problem

175
• Role and Interface In/Out Bandwidth should be configured
• Interface Widget for port2 should be created
• Create 2 probes, one to company website and another to a reliable DNS
server
• Logs should be sent to FMG
• The network conditions should be logged (every 30s on a fail condition, every
60s when it’s a success condition)
Lab 01.1
Requirements

176
Lab 01.1
Configuration
• Configure the lab according to the
requirements
• After finishing the configuration,
check if you accomplished the
section goals using the validation as
a guideline
• If you prefer you can skip directly to
the solution, and follow the step-by-
step guide

178
• Check the Performance SLA dashboard
Lab 01.1
Validation

179
• Interpret the Bandwidth Widget
Lab 01.1
Validation

180
• Check logs on FMG01
Lab 01.1
Validation
▪ You should be able to identify the current network conditions from the logs

181
• From information obtained in the Performance SLA probes, Interface Widget
and SD-WAN logs you can identify what’s happening ?
• How long does every failure take ?
• For how long it works before failing again ?
• How long does it take to download the big financial file ?
• At this point you should have identified the root cause
• We will fix it in the next lab
Lab 01.1
Validation

182
• From information obtained in the Performance SLA probes, Interface Widget
and SD-WAN logs you can identify that the link is constantly failing
• Every failure takes about 1m before it recovers again
• It works for about 3m before failing again
• The download time exceed 3m, so it’s currently not possible to download the
large financial data files
• You also discarded congestion issues on the current interface, as users are
using less bandwidth than what’s currently available
• Congratulations, you correctly identified the issue and will fix it in the next lab
Lab 01.1
Conclusion

183
• In this lab you learned how to use performance probes to help in the the
process of identifying links failures
• Enabled security fabric to improve network visibility and sent logs to a central
location for quick review
• Configured the bandwidth values of the interfaces to enable a quick visual
assessment of congestion issues
Lab 01.1
Summary

184
Lab 01.1
You finished this lab!

185
• Go to SD-WAN Rules
GOTO

186
Lab 01.2

187
You have identified that the root cause of the reported issues were related to link failures
occurring during the day, in order to fix that you plan to enable the recently acquired
backup link.
• Objectives
1. Enable the new interface
2. Adjust SD-WAN Probes and Rules
Lab 01.2
Fixing link failures

188
• Add port3 to SD-WAN Members
• Role and Interface In/Out Bandwidth should be configured
• Interface Widget for port3 should be created
• Adjust existing probes
• Probe to acme.inet should have the fastest failure detection possible and long
recovery time (300s)
• Traffic to acme.inet website should only go through interfaces that are considered
alive by the custom probe, ideally considering pkt loss as a quality criteria
• Validate using ping that access to the website is not interrupted anymore
• Validate the the issue was fixed reproducing the large file download procedure
Lab 01.2
Requirements

189
Lab 01.2
Configuration
requirements
a guideline
step guide

191
Lab 01.2
Validation

192
• Test website access from T1-DC01
• Connect on T1-DC01 Display
Lab 01.2
Validation
▪ Open a Terminal
» ping acme.inet
▪ Wait for at least 5m to see if any
failures occur
▪ Pay attention to when the probes
show port2 as dead and check if
the ping fails

193
• Check the Bandwidth Widget
• Traffic should only pass through stable interfaces
Lab 01.1
Validation

194
• In this lab you learned how to use include additional interfaces as SD-WAN
Members and how to properly adjust an existing configuration
• You understood how to tune a Performance SLA for faster convergence and
increased stability
• You configured a SD-WAN Rule that fixed the issue with the constantly failed
link and validated that users are now able to work without any issues
Lab 01.2
Summary

195
Lab 01.2

196
Lab 01.3

197
Users reported that they are feeling the access to the application very slow, specially for
loading last night corporate party pictures, the CEO is specially interested in seeing them
after lunch, so the CIO requested you to look at the issue right away.
The website development team created a page at acme.inet website that will quickly
show you the loading time.
• Objectives
1. Define target SLAs for probes
2. Adjust rules to fix the issue
Lab 01.3
Fixing latency issues

198
The network conditions have changed since the last laboratory, you need to apply the new
conditions now.
• Go to the Bastion-MGMT website, Wan Emulator section
• Apply Lab 1.3
Lab 01.3
Scenario

199
• Define a target SLA for acme.inet probe
• You should use recommended values associated to General Web traffic
• You should set the ‘Restore link after’ back to 5 checks on the
acme.inet probe
• Identify if the recommended value is appropriate for this traffic
• Are the current links able to reach the desired values ?
• You should be able to assess the latency without any packet loss, there’s no packet loss
on this scenario and if you’re seeing it you need to discover the root cause
Lab 01.3
Requirements

200
Lab 01.3
Configuration
requirements
a guideline
step guide

202
Lab 01.3
Validation

203
Lab 01.3
Validation
▪ Open a Terminal
» ping acme.inet
▪ Wait for at least 4m
▪ If even after the changes you still
see latency over 200ms you can
stop and restart the ping
immediately to validate

204
Lab 01.3
Validation
▪ Open a Web Browser
» Go to http://acme.inet
» Go to the Loading Time page
» Refresh the page several times, check
if you’re always getting the best
available link (based on latency)
» You should always get the best link!

205
• In this lab you learned how to tune Performance SLA timers and how to use
SLA Targets
• You also learned about how the the SD-WAN rule quality criteria can be used
to obtain the desired behavior and how to fix a common issue of network
slowness related to latency
Lab 01.3
Summary

206
Lab 01.3

207
• Go to Additional Features
GOTO

208
Lab 01.4

209
The HR department need to file some terminations (they discovered that some employees
were accessing pornographic content and downloading movies using BitTorrent during the
night shifts, all recorded on the security cameras), but they are being affected by an
unexpected slowness on the network today.
You know that the Storage team was working on some transfers between a new service
provider and the internal systems and that this new applications uses TCP/5201. They
implemented it yesterday and could be related to the current high network usage.
To make the situation even worse, one of your ISPs notified you of network maintenance
and is not working today, so you only have one link available.
Lab 01.4
Scenario

210
CEO requested that all traffic to the HR applications should be prioritized, their
applications are on acme.inet website.
• Objectives
1. HR traffic should not be affected by Storage traffic
2. Configure traffic shaping to limit Storage traffic impact on all other services
Lab 01.4
Fixing network congestion issues

211
conditions now.
• Apply Lab 1.4
Lab 01.4
Scenario

212
• Traffic to Storage Provider should not exceed 5000 kbps
Lab 01.4
Requirements

213
Lab 01.4
Configuration
requirements
a guideline
step guide

215
• Check port2 usage
• Go to Dashboard, Status
Lab 01.4
Validation
▪ Traffic to Storage Provider should not exceed 5000 Kbps

216
Lab 01.4
Validation
▪ Open a Terminal
» ping acme.inet
▪ Latency should be minimal

217
Lab 01.4
Validation
▪ Open a Web Browser
» Go to http://acme.inet
» It’s important to the type the http prefix
» Go to the Loading Time page
» Loading time must be lower than 200ms

218
• In this lab you learned how to identify excessive bandwidth usage through
Interface widgets and the offending hosts through FortiView
• You also learned how to apply bandwidth limits to inbound traffic using traffic
shapers and traffic shaping policy
Lab 01.4
Summary

219
Lab 01.4

221
Due to the excellent work of your team the company was super efficient last quarter and
now is expanding to new locations, they're opening a new branch office in Sunrise and
you are in charge of deploying the new site connectivity.
You know that the Junior Technicians already done the initial device config and now you
need to prepare the VPNs, before travelling to the remote office you will prepare
everything at the main DC device.
Lab 02 – Hub and Spoke

222
Network Diagram

223
• Pre-configured parameters on S01
• Hostname, Admin Timeout, GUI Theme, Lat/Long, Dashboard
• IP Addressing, alias, roles and zones for all interfaces
• Static Route to Internet over INTERNET_A only
• Common Firewall Objects
• Firewall policy from LAN to INTERNET
Initial Config

224
Lab 02.1

225
Before travelling to the new Branch Office you need to prepare the DC device so once you
configure the tunnels at the new site they will come up right away.
• Objectives
1. Configure two VPNs, one for each WAN interface
2. Test the VPN config using FortiClient
Lab 02.1
Prepare VPNs on DC

226
conditions now.
• Apply CLEANUP
Lab 02.1
Scenario

227
• Configure two VPNs that will support a Hub-and-Spoke topology
• One VPN should be configured for each WAN interface
• You should not use more than two rules to allow traffic to/from Spokes to DC LAN
• You should not use multiple interfaces per rule
• You should follow the IP addressing already defined in the Network Diagram
• The VPNs should be prepared to support dynamic routing
• You should not use mode-cfg
• Should a tunnel fail, the failure needs to be detected in 2s
• Failure can only be determined after at least 2 probes failed
• Tunnels will not be part of SD-WAN at DC
Lab 02.1
Requirements

228
Lab 02.1
Configuration
requirements
a guideline
step guide

230
• Test your new VPN using FortiClient
• Install FortiClient on YOUR LOCAL MACHINE
Lab 02.1
Validation
▪ Create a new VPN
▪ Name: FORTIPOC
▪ Remote Gateway: YOUR_FPOC_IP
▪ Pre-shared key: fortinet
▪ Mode: Main
▪ Options: Manually Set
▪ Assign IPv4 Address: 10.200.250.200/24

231
• Check online tunnels
• Go to Monitor, IPsec Monitor
Lab 02.1
Validation

232
• Test ping to remote tunnel IP
• Go to CLI
• You validated that the tunnel on HUB side is correctly configured.
Lab 02.1
Validation
STUDENT_LOCAL_MACHINE # ping 10.200.250.254
PING 10.200.250.254 (10.200.250.254): 56 data bytes
64 bytes from 10.200.250.254: icmp_seq=0 ttl=255 time=0.9 ms
…

233
• In this lab you learned how to configure the HUB side of a Hub and Spoke
topology
• You also learned how to tune the tunnel settings for fast failure detection and
to enable the usage of dynamic routing protocols, which is going to be
configured in a subsequent lab.
Lab 02.1
Summary

234
Lab 02.1

235
Lab 02.2

236
You're the in the beautiful Florida and have not seen any alligators so far (apart from a guy
with an alligator costume on the beach), now you have to complete the setup of the
branch office quickly because the sales team is ready to start their operation but were held
back due to the lack of wireless and wired connection at the branch.
The first task of the day is to enable branch access to the Internet so they can start doing
business.
Objectives
1. Configure SD-WAN at the Branch to enable best usage of both Internet links
2. Configure the Branch Switch
Lab 02.2
Enabling your first SD-Branch

237
conditions now.
• Apply Lab 2.2
Lab 02.2
Scenario

238
• Enable SD-WAN, use both WAN interfaces
• Adjust the load balancing for best session distribution, use the link bandwidth
as a guide
• INTERNET_A is an 80Mbps ADSL link
• INTERNET_B is an 20Mbps ADSL link
• Create a probe to acme.inet website using HTTP
Lab 02.2
Requirements

239
Lab 02.2
Configuration
requirements
a guideline
step guide

241
• Check interface usage
Lab 02.2
Validation
▪ Traffic should be load balanced and no interface should be near max usage

242
Lab 02.2

243
Lab 02.3

244
Now that users are able to access the Internet you need to further improve the Branch
Office workflow by enabling secure communication to Internal Systems, in this section you
will configure the VPN tunnels to DC.
Objectives
1. Configure secure connectivity to internal systems
2. Distribute the VPN load between all available tunnels
Lab 02.3
Enabling secure connectivity to DC

245
The network conditions have not changed since the last laboratory, you do not need to
apply any new conditions now.
• Keep 02.2 settings
Lab 02.3
Scenario

246
• Create two VPN tunnels to DC01, one for each interface
• Create a probe to DC01 LAN IP
• Traffic to Internet should never go through the tunnels
• Traffic to DC01 should use both tunnels
• NAT should not be enabled for internal traffic
Lab 02.3
Requirements

247
Lab 02.3
Configuration
requirements
a guideline
step guide

249
• Check tunnel status
Lab 02.3
Validation
▪ Both tunnels should be up

250
• Test ping to remote tunnel IP
• Go to CLI
• You validated that the overlay traffic is working.
Lab 02.3
Validation
S01 # exec ping 10.200.250.254
PING 10.200.250.254 (10.200.250.254): 56 data bytes
…
S01 # exec ping 10.200.251.254
PING 10.200.251.254 (10.200.251.254): 56 data bytes
…

251
• Check which interface is being used for Internet traffic
• Go to FortiView, Destinations, Double-click acme.inet, Sessions
Lab 02.3
Validation
▪ Tunnels are not used for Internet traffic

252
• Check probe status
• Go to Network, Performance SLA
Lab 02.3
Validation
▪ All probes should be normal

253
Lab 02.3

255
Lab 02.4

256
Now that users are able to access the Internet you need to further improve the Branch
Office workflow by enabling secure communication to Internal Systems, in this section you
will configure BGP inside the VPN tunnels for scalable expansion and reduced operational
overhead when enabling new branches.
Objectives
1. Configure BGP on DC01 and S01
2. Stablish connectivity between the LAN networks of both sites
Lab 02.4
Configure dynamic routing

257
conditions now.
• Apply CLEANUP
Lab 02.4
Scenario

258
• Configure BGP on DC01 with AS 64500
• All LAN networks should be advertised
• At DC01 you should not configure any explicit peers
• All peers should have fast convergence timers tuned:
• Keepalive: 5
• Holdtime: 15
• You should be able to see all available paths to any LAN network in the
active routing table
Lab 02.4
Requirements

259
Lab 02.4
Configuration
requirements
a guideline
step guide

261
• Check DC01 LAN reachability from S01
• Go to Monitor, Routing Monitor, Filter by Type: BGP
Lab 02.4
Validation

262
• Test connectivity from T1-DC01
▪ Open a Terminal
» ping 10.1.0.50
» Ping 10.1.0.254
Lab 02.4
Validation

263
• Test connectivity from T1-S01
• Go to CLI (ssh root@FPOC_IP -p 10114)
• You validated communication between S01 LAN and DC01 LAN.
Lab 02.4
Validation
root@t1-s01:~# # ping 10.100.0.254
PING 10.100.0.254 (10.100.0.254): 56 data bytes
…
root@t1-s01:~# # ping 10.100.0.50
PING 10.100.0.50 (10.100.0.50): 56 data bytes
…

264
Lab 02.4

265
Lab 02.5

266
You arrived at the Branch Office ready to say good bye to everyone and get back home,
but your coffee is still warm while the Branch Manager goes to your desk complaining that
nothing is working and that you can’t leave before fixing it.
Objectives
1. Discover and fix the problem
Lab 02.5
Save the day!

267
conditions now.
• Apply Lab 2.5
Lab 02.5
Scenario

268
• Find the root-cause
• Fix the problem
Lab 02.5
Requirements

269
Lab 02.5
Configuration
requirements
a guideline
step guide

271
Lab 02.5
Validation
▪ Both tunnels should be up

272
• Check DC01 LAN reachability from S01
• Go to Monitor, Routing Monitor, Filter by Type: BGP
Lab 02.5
Validation

273
• Test external access from T1-DC01
Lab 02.5
Validation
▪ Open a Terminal
» ping 8.8.8.8

275
• Go to CLI (ssh root@FPOC_IP -p 10114)
• Something is wrong!
Lab 02.5
Solution
root@t1-s01:~# ping 10.100.0.254
PING 10.100.0.254 (10.100.0.254) 56(84) bytes of data.
From 10.1.0.254 icmp_seq=1 Destination Net Unreachable
root@t1-s01:~# ping 10.100.0.50

276
Lab 02.5
Solution
▪ Tunnels are down!

277
• Check probe status
• Go to Network, Performance SLA
Lab 02.5
Solution
▪ All probes are down!

278
Find the root cause
Fix the problem
Save the day!

280
Lab 02.6

281
The expansion was a huge success and the CEO is planning to open 10 more branches,
in order to prepare for the rapid expansion your CIO asked you to start using the
centralized management capabilities of the already acquired FortiManager, at this point
you just need to add the existing devices to prepare for the expansion.
Objectives
1. Manage DC01 and S01 through FortiManager
Lab 02.6
Enable Centralized Management

282
conditions now.
• Apply CLEANUP
Lab 02.6
Scenario

283
• Import DC01 and S01 into FortiManager
• Import the SD-WAN profile of S01
Lab 02.6
Requirements

284
Lab 02.6
Configuration
requirements
a guideline
step guide

286
• Check that everything is synchronized on FMG
• Go to Device Manager, Device & Groups
Lab 02.6
Solution
▪ Change to Map View
▪ All devices should be healthy
and synced

287
Lab 02.6

289
Now you will use the FortiManager to deploy a new Branch. The objective is simplify the IT
with central management and visibiliy of all infrastruture, taking in consideration scalability
and also prepare for unified communications in the near future.
Lab 03 – One Hub, Two Spokes

290
Network Diagram

291
• Pre-configured parameters on S02
• IP Addressing on port1 (OOB_MGMT)
• DHCP on port2 (WAN Interface)
• Minimal SD-WAN config (Interface with only port2 and default route)
• Pre-configured parameters on FMG01
• Admin Profiles and Pictures
Initial Config

292
Lab 03.1

293
You just opened a new branch office and need to quickly provision it, leverage the
standard configuration from S01 to speed up the process.
Objectives
1. Provision S02
Lab 03.5
Expand!

294
conditions now.
• Apply CLEANUP
Lab 03.1
Scenario

295
• Allow FMG connectivity through the Internet
• FMG Public IP should be 203.0.113.5
• Configure S02 Central Management
• Apply a SD-WAN Template to S02
Lab 03.1
Requirements

296
Lab 02.4
Configuration
requirements
a guideline
step guide

298
• Check VPN status on FMG01
• Go to VPN Manager, Monitor. VPN is UP for all branches.
Lab 03.1
Validation

299
• Check SD-WAN status on FMG01
• Go to Device Manager, SD-WAN, Monitor
Lab 03.1
Validation

300
• Check that everything is synchronized on FMG
• Go to Device Manager, Device & Groups
Lab 03.1
Validation
▪ Change to Map View
and synced

301
Lab 03.1

302
Lab 03.2

303
Users of the new office are complaining that nothing is working.
Objectives
1. Discover the root-cause
2. Fix the new branch issues
Lab 03.2
Expand?

304
conditions now.
• Apply LAB 3.2
Lab 03.2
Scenario

305
• Fix the problem
Lab 03.2
Requirements

306
Lab 03.2
Configuration
requirements
a guideline
step guide

307
• Test S02 reachability from T1-DC01
Lab 03.2
Validation
▪ Open a Terminal
» ping 10.2.0.254
» It should work

308
• Go to CLI (ssh root@FPOC_IP –p 10113)
• It should work
Lab 03.2
Validation
root@t1-s02:~# ping 10.100.0.254
root@t1-s02:~# ping acme.inet

309
Find the root cause
Fix the problem
Save the day!

310
Lab 03.3

311
Users on S01 need to access some files on S02, enable that traffic through the HUB.
Objectives
1. Enable branch to branch communication, using the HUB
Lab 03.3
Enable Branch to Branch communication

312
conditions now.
• Apply CLEANUP
Lab 03.3
Scenario

313
• Fix the problem
Lab 03.3
Requirements

314
Lab 03.3
Configuration
requirements
a guideline
step guide

322
SD-WAN Training LABS
You finished the training!

Track SD-WAN.pdf

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Track SD-WAN.pdf

Similar to Track SD-WAN.pdf (20)

Recently uploaded

Recently uploaded (20)

Track SD-WAN.pdf