The fortinet fortigate 60f brings compact, high-performance security and routing to branch offices and SMBs, and its SD‑WAN capabilities make it an attractive platform for modern WAN architectures. This guide explains how to plan, deploy, and operate SD‑WAN on a FortiGate 60F, covering design choices, configuration steps, performance and monitoring considerations, and best practices to ensure a reliable, secure, and cost-effective branch WAN.

Understanding SD‑WAN on the FortiGate 60F

SD‑WAN on FortiGate combines traffic steering, link quality monitoring, application-aware routing, and integrated security. The FortiGate 60F’s Security Processing Unit (SPU) preserves performance for encrypted and inspected traffic, making it well suited for SD‑WAN scenarios where multiple links (broadband, LTE, MPLS) are used simultaneously and some traffic must be inspected without impacting user experience.

Key SD‑WAN concepts for the 60F:

• SD‑WAN zones and members: physical or virtual WAN interfaces (e.g., primary Internet, backup LTE) become SD‑WAN members grouped into zones for policy and monitoring.
• Link quality measurement: proactive probes (pings/HTTP) and jitter/packet loss measurements drive dynamic path selection.
• Performance SLAs: administrators define thresholds (latency, jitter, packet loss, MOS) and policies that steer traffic based on these SLAs.
• Application steering and categories: FortiGate classifies traffic by application or category (SaaS, VoIP) to apply routing decisions and security policies.
• Security integration: SD‑WAN policies work with NGFW inspection, IPS, web filtering, and SSL inspection—allowing secure, optimized routing without separate appliances.

Planning an SD‑WAN deployment

1. Inventory WAN links and requirements:

   • Document available links (speeds, costs, latency, jitter) and redundancy requirements.
   • Identify critical applications (VoIP, VDI, SaaS) and their tolerance for latency/jitter/packet loss.

2. Define SD‑WAN objectives:

   • Cost optimization (prefer low-cost broadband over MPLS for non-critical traffic).
   • Performance assurance (steer sensitive traffic to high-quality links).
   • Resilience (automatic failover to LTE or secondary broadband).
   • Security (maintain inspection and segmentation).

3. Capacity and sizing:

   • Size the FortiGate 60F to inspected throughput and concurrent sessions expected for your branch. The 60F’s SPU helps, but enabling full NGFW+SSL inspection+IPS will reduce inspected throughput versus raw numbers.

4. Topology and integration:

   • Decide on hub-and-spoke (site-to-hub) vs. full-mesh or hybrid. FortiGate supports IPsec-based SD‑WAN overlays for encrypted site-to-site connectivity.
   • Plan integration with central management (FortiManager/FortiCloud) and analytics (FortiAnalyzer) for policy distribution and monitoring.

Core configuration steps (high level)

Note: This is a conceptual implementation guide. Use the FortiOS GUI or CLI for exact commands and adjust to your environment and FortiOS version.

1. Prepare interfaces

   • Configure physical WAN interfaces (WAN1, WAN2, LTE modem) with IP addressing and link parameters.
   • Create or verify internal LAN and VLAN interfaces for segmentation.

2. Create SD‑WAN zone and add members

   • In FortiOS, create an SD‑WAN interface and add WAN interfaces as SD‑WAN members.
   • Set health-check methods (ping, HTTP, DNS) and define probe targets (e.g., well-known DNS or internal targets).

3. Define performance SLAs and link costs

   • Configure performance SLAs for latency, jitter, packet loss, and MOS thresholds.
   • Assign cost/preference values to links for tie-breaking (e.g., prefer MPLS for critical apps).

4. Build SD‑WAN rules (policy-based steering)

   • Create SD‑WAN rules that match on application, user, source/destination, or DSCP.
   • Set action to “best‑quality” (choose link meeting SLA), “priority” (use preferred link), or explicitly select a member.
   • Use application control signatures and categories to match SaaS or VoIP traffic.

5. Configure IPsec SD‑WAN overlays (if using encrypted site-to-site)

   • Create IPsec tunnels between hubs and spokes (phase 1 and phase 2 parameters).
   • Bind IPsec tunnels as SD‑WAN members or use them as routes; use dynamic path selection if multiple tunnels exist.

6. Security policies and inspection

   • Create NGFW policies that allow SD‑WAN routed traffic while applying IPS, AV, URL filtering, and SSL inspection where needed.
   • Ensure policy order allows SD‑WAN rule matching before generic permit rules.

7. NAT and routing

   • Configure source NAT or specific SNAT when sending traffic out of SD‑WAN members if required by ISPs.
   • Adjust static/dynamic routes to prefer SD‑WAN interface for internet-bound and overlay traffic.

8. High availability and redundancy

   • For critical sites, consider HA pairs or use FortiManager for rapid policy push and monitoring.
   • Configure link failover thresholds and link down actions to ensure quick switchover.

Performance tuning and monitoring

• Tune health checks: Use realistic probe frequencies and targets; avoid overly aggressive probes that might create false positives.
• Use application and QoS: Tag latency-sensitive applications with DSCP and build SD‑WAN rules that respect QoS markings so carriers and intermediate devices treat them appropriately.
• Monitor SPU/CPU usage: High SSL inspection or AV loads can increase CPU usage; monitor and offload to cloud sandboxing when needed.
• Centralize analytics: Use FortiAnalyzer or FortiCloud to collect link metrics, application flows, and SD‑WAN event logs to identify patterns and tune policies.
• Test failover and path selection: Regularly run controlled failover tests and measure reconvergence times for critical applications.

Security considerations

• Maintain inspection: Don’t bypass inspection for convenience—where possible, use selective inspection exemptions for trusted SaaS to maintain performance while inspecting unknown destinations.
• Secure overlays: Use IPsec overlays with strong ciphers and key lifetimes for site-to-site SD‑WAN tunnels, and rotate keys as part of your operational procedures.
• Segment traffic: Enforce segmentation with VLANs and security policies so guest or IoT networks cannot traverse sensitive segments.
• Patch and firmware management: Keep FortiOS and FortiGate firmware updated; use FortiManager/FortiCloud to automate patches where practical.

Operational best practices

• Staged rollout: Start with a pilot branch to validate SD‑WAN rules, probe targets, and inspection profiles before broad deployment.
• Policy standardization: Use FortiManager to maintain consistent SD‑WAN and security policies across many sites.
• Document fallbacks: Keep a documented process for emergency reversion to single-link routing if SD‑WAN policies cause unexpected behavior.
• Training and runbooks: Ensure network operators know how to interpret SD‑WAN health metrics and perform common remediation steps.

Conclusion

The Fortinet FortiGate 60F provides a compact, performant platform for SD‑WAN at branch sites when deployed with careful planning and tuning. Its SPU-accelerated inspection and integrated security simplify architecture by combining routing, optimization, and protection in a single appliance. By inventorying links, defining performance objectives, tuning SLAs and IPS/AV rules, and centralizing analytics, organizations can achieve resilient, cost-effective, and secure SD‑WAN deployments that improve application performance and reduce WAN costs.