Exclusives Featured Tech Field Day Events

All-in with SD-WAN and Fortinet

When you think of SD-WAN players in the market, there are naturally a few names that come to mind. Viptela, VeloCloud, and Riverbed are usually some of the top ones that come up. With two of those three companies having been purchased by bigger players, Cisco and VMware are now in play. But sometimes a company comes out of the pack that surprises with the dedication to doing something different in the SD-WAN space. And at Networking Field Day 20 I saw a new entrant into the SD-WAN market in Fortinet.

Now, it’s not really fair to say that Fortinet is new. I’ve been using FortiGate firewalls since the early 2000’s back when they were just the ForiGate 60 or Forigate 200. But they were not when I would consider network edge devices. They were firewalls or unified threat management (UTM) devices. They were designed to intercept and analyze traffic both in and out of the network. And they worked well because Fortinet realized that trying to pump that much traffic analysis through a CPU was going to create massive problems with big traffic loads. So, Fortinet designed ASICs to offload the analysis and ensure that firewall performance stayed speedy.

The landscape of networking has changed though. Gone are the crazy serial connections of the T1 or the DS3. They’ve been replaced by ubiquitous Ethernet connections everywhere. Now, instead of routers acting a media converters for WAN-to-LAN connections, they’ve instead taken on new functions as processing power has increased and software has started to eat the networking world. With the homogenization of connectivity on the WAN side, the real differentiation has to come from somewhere else.

Splashing The Pot

For Foritnet, those very same ASICs that have been powering the security side of things for the past few years are the key to their differentiation. The majority of the other players in the SD-WAN market are relying on high-powered x86 CPUs to drive their analysis and software performance. That’s a good idea to keep costs low and reduce the amount of R&D needed to keep adding new features to the units. It’s not all the dissimilar from the merchant silicon movement and reliance on things like Intel’s DPDK in the greater networking market.

However, big CPUs have issues when they get overloaded. We’ve all seen this in the networking world when a switch gets swamped with a broadcast storm caused by a loop somewhere. Everything grinds to a halt, including traffic processing. When a big CPU gets hammered with lots of traffic, it still exhibits the same characteristics. Maybe not quite as fast as a smaller processor but it’s still going to grind to a halt sooner or later under load. And when you consider the size of the CPUs that are typically placed in branch offices to reduce costs or size appropriately to smaller traffic flows? You can see how an increase in traffic or a new analysis feature can cause big problems fast.

Fortinet is getting around that by using the ASICs they’ve developed for security analysis to augment the capabilities of their boxes for SD-WAN performance. It’s really a brilliant strategy. Because these ASICs are already optimized for traffic analysis they can perform it and get the results to the software on the system fast. Whether that software decides to make security decisions to allow or deny traffic or whether the policy engine is based on application-specific rules that forward packets over a critical link or a less-congested path makes no different to the ASIC.

Because the traffic analysis is offloaded to a different chip there’s also little worry about impacting system performance. When you swamp the ASIC with too much traffic the ASIC might slow down, but the main system CPU won’t. That means the box will still pass packets in the event of a big spike of data headed toward it rather than melting down under the weight of a tidal wave of packets.

Having integrated hardware in the edge units is also a way for Fortinet to continue to innovate and provide services to their customers. If you know that your unit has a specific capability it’s much easier to build software to utilize this function in the future. You can’t count on introducing software to a unit that runs specifically off of a single CPU and hope that it’s not going to get overwhelmed by your new programming. And your edge firewall can gain new SD-WAN capabilities as they arise.

Bringing It All Together

I can’t say that I envisioned Foritnet as a major player in SD-WAN even just three years ago. I had them firmly entrenched in the security side of things. However, it would appear that the industry has evolved to the point where SD-WAN and security look very similar to the processing devices. It’s now up to the policy engines to make determinations. The real key is how fast you can process the packets and get the data to the higher-level decisions. That’s a place where Fortinet has excelled for years and should continue to have an advantage going forward.

About the author

Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/

1 Comment

  • Thanks. Good overview. It looks like the SD-WAN functionality can simply be turned on in existing FortiGate appliances. When you think of other vendors of SD-WAN, is combining security an advantage for Fortinet?

Leave a Comment