Yesterday I attended a Fortinet hands-on workshop on setting up SD-WAN connections. While I had completed SD-WAN technical training and had done the workshops on-line during the COVID pandemic, I took this opportunity to refresh my skills and meet some other IT professionals in the Oklahoma City area.
The training was held at OKC’s Tierpoint data center. This is the first time I had been in their new facility and was impressed with the layout and facilities. The training was several hours long and at one point I had to take a weekly client call. It was easy to step out, grab a private desk in a shared office space, make my call, and then pop back into the training.
Setting up SD-WAN in lab environment
I liked the fact that Fortinet allowed each of the attendees to log into a virtual lab and set up SD-WAN in a virtual environment. We used our own laptop computers to log into the environment, read the documentation, and then program the virtual Fortigates. The lab even had ways to generate voice traffic and to induce delay and jitter into our virtual circuits so that we could monitor as the Fortigate VPN’s failed over and rerouted traffic based on our defined SLA’s.
We used Fortimanager to program the Fortigates. This allowed us to use templates to set up the SD-WAN interfaces, routing polices, and SLA’s, and then use Fortimanager to push those configurations to the various Fortigates in our lab. This is the exact way SageNet does this with hundreds or even thousands of Fortigates we manage.
Pro Tip – Place Interfaces into SD-WAN when setting up new Fortigate
When installing new Fortigate, go ahead and place the interfaces into an SD-WAN policy, even if it is the only interface you plan to use. This make it much easier to deploy SD-WAN at a later point. If you assign policies directly to an interface, and later want to move that interface to and SD-WAN group, you have to delete all the firewall and routing policies associated with that interface and then rebuild them pointed at the SD-WAN interface. That takes quite a bit of work, so in most cases you will want to go ahead and just assign the interface to an SD-WAN group and apply polices to that group. Later you can easily add interfaces to the group with very little effort.
Leave a Reply