FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 291504
Description

This article briefly highlights the best ways to implement SD-WAN in an environment where MPLS, VPN and internet links (mixed) co-exist and all of them require SD-WAN.

Scope FortiOS 6.4.x and above.
Solution

It has been found in many reported cases that customers sometimes have SDWAN implemented over a mixture of links (MPLS, IPsec VPN tunnel and Internet), but did not adequately segment them from one another.

The best thing to do in environment with mixture of links is to ensure the following:

 

1. Static default routing is properly configured.

 

Do not configure a single static default route through the SDWAN interface; instead configure the static default route through individual zones or interfaces.

In a situation where there is no internet breakout at the other side of the VPN tunnel, it is NOT necessary to configure default route 0.0.0.0/0 over the VPN SDWAN zone.

 

The configuration below, for example, will point the default route to all SD-WAN member interfaces (internet, MPLS or VPN). This should be avoided in an environment with heterogeneous links. Instead, point the default route to individual interfaces that have internet access. The fact the SD-WAN zone was not referenced in the static route does not mean SD-WAN will not work perfectly. In fact, there are more advantages to individual interfaces (as 2 links of capacity 256MBps and 1GBps will not be ECMP by default as they would have been if an SD-WAN zone was used in the static routing).

 

sd1.JPG

 

The following should also be avoided:

 

sd3.JPG

 

Note: Point default route to only zone(s) with internet access.

 

2. The SDWAN zones are clearly segmented.

 

Do not add two unrelated or heterogeneous interfaces into same zone. For example, allocating 'Internet' and “MPLS” links into the same zone is not following best practice (for example: a zone named 'WAN' should not house both Internet and MPLS links just because both are WAN links/interfaces).

This is not common, but is sometimes seen.

 

3. Do NOT use an 'all' source to an 'all' destination in any of the SD-WAN rules.

Make sure the only SD-WAN rule with 'all' to 'all' in the deployment is the implicit SDWAN rule.

Fortinet’s R&D team has warned that such configuration could result in unexpected behavior.

 

sd4.JPG

Contributors