Fortinet Secure SD-WAN Demo | Retail Security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone welcome and today is demo day virtual demo day 49 secure St Wayne I'm your host Courtney right retail seaso and principal architect for Ford Annette and I've been in retail for a while I've deployed and supported distributed networks for multiple retail brands and now I use that experience now guide retail strategy for Ford Annette today we'll be talking about Fortinet secure SD win with a solution focused on retail what goes into ST win why security is important to call out and we'll give an overview of our implementation of SD win if you've used a forty gate before you're familiar with the web interface and and that's what we're using to showcase the ease of setup on a per device basis and once that is complete we'll move on to our first demo the first demo will be a cloud hosted VoIP service that is called ring central be highlighting the lowest cost SLA strategy tie light centralized visibility and management we will show why for no manager is you go to solution to easily deploy manage and support our estimating solution at scale and this is extremely important because whether you're a small business or a large business you're gonna have some complexities that are particular to your business so you need a solution that's tailored for really all scenarios then we'll go into demo number two which is best quality and we'll utilize a TV PN or auto-discovery VPN to meaness maintain a sip call between branches tunnels will be established dynamically to ensure continuity of the call over the optimal connection after this we'll be accepting some Q&A and that can be entered through the the session chat window where we'll be collected and we'll answer them at the end of the session time permitting so let's go ahead and dive in so what is SD win have a little discussion and overview on that well SD win is Software Defined wide area network and like Sdn for the data center it's a little bit like that because it's with respect to how it implements virtualization technology to improve data center operations and efficiency essentially SD win decouples the network from it's Hardware control mechanism so what that does is it provides higher performance it provides cost savings going to provides flexibility over traditional land connectivity it also allows for dynamic application steering to ensure business critical applications and services are always available now most st institutions provide an overlay or an abstraction layer from the underlying circuit that is transport agnostic whether they're MPLS broadband or wireless or LTE businesses are adopting SD lan so that they can keep their existing wayne links while having traffic steered over the correct connection based on parameters that best fit their business needs centralized control management and enhanced visibility in reporting our big enhancements that st lan promises there's also ones that it doesn't deliver on it provides application steering quality of experience segmentation secure connectivity maybe it doesn't really allow for that in a generic st way in environment but the Florida Nets secure SD way in solution does we were the first st lan solution to be purpose-built with security in mind so it's also worth noting that rst went offering is free and it's included on every FortiGate from the smallest offices appliances to the biggest data center firewalls out there so now we're kind of going to jump into our second use case and that's ease-of-use we're gonna do a little bit of an overview on our ease of use of the four gate st lan solution i'm gonna do that in a couple ways first we're gonna show you just the demo topology here and and how it can be complex or it can be pretty easy and essentially what we have right here is just a standard topology it's a pretty standard hub-and-spoke design with two branches each with dual lane connectivity a cloud environment fronted by a firewall in a data center also with redundant wayne connectivity that houses the centralized management and reporting provided by 40 manager and 40 analyzer respectively there's gonna be a boon to clients in the final demo that we'll be showcasing we'll also be using a way emulator to simulate lace and latency over the when links to to simulate a failover over st wayne we're gonna reference this architecture a couple times so don't worry about down but just know that this is the architecture that were going to be using and it should look pretty similar to what maybe many of you may have out there in your own implementations so while it goes without saying that we're talking about SD LAN the big thing here again that we're they're also wanting to talk about is secure SD win and what builds security win is the security fabric it starts in the middle with the next-generation firewall of course but as you see the wheel around here that it's a broad set of you know security technologies that build out our portfolio they're coupled by fabric Reading Partners open API ecosystem where we write to the competition or or to partners out there and the same can be said that they can write to us and an open API architecture that allow customers to custom build their own solutions and so that's a that's another compelling thing that we have here is this interoperability between different systems different devices different technologies so we're just going to go ahead and jump in here so we're gonna log it into branch one and what we'll see with branch one is it's currently managed essentially by the fortwo manager and while we can log in and make changes locally they may be overwritten when we send down additional changes from the 40 manager so as we'll see here we're already logged in and we're in the SD LANs section and as you'll see over here on the left side that just a standard FortiGate configuration and layout but what you'll see here is we've got some favorites set up st wayne st wind rules performance SLA is this is gonna be whatever you want you just click the star and add whatever you want over to the favorites list we're gonna try to keep this simple here and we're gonna use some of the just standard sections so well you'll you'll find SD win over underneath network st way and I see round rules and performance SL A's so this is where we're going to be spending the majority of our time here so right here we're in the the basic St LAN section and this is where you define your interfaces these interfaces can be physical interfaces or underlays or tunnel interfaces like VPNs that can be referred to as overlay what you might notice here is that there are not gateways on many of these as we're using the routing table for those some however do have gateways such as the cloud VPNs and this is mainly used for internet addresses that we don't necessarily want to use the routing table for you also see here that the cost that many of these is set to zero now you can leave it at zero or you can set it to what you need as part of your lowest cost strategy so it's also a cool little thing here that we can do is you can create a VPN on the fly right from this menu which is not something we're really gonna talk about today I just thought it was pretty cool so what we're gonna get into now is performance based SOAs and so the purpose of a performance mix SLA is to monitor and gather the information from your links to make steering decisions based on the sto and rules these can be general SLA is like the internet SLA or they can be specific such as the ringcentral SLA if you click on the SLA you'll see performance metrics that have been captured and are displayed for the last 10 minutes or so shown at the top of the window these can be refreshed by clicking into them and you can refresh them on the left side but again that's not going to be the real-time statistics but rather a snapshot but we'll see that when we demoed the RingCentral SLA in just a bit so I'm going to go ahead and edit one of these SLA s and show you the available options so protocol shows you the available options determine the health of the link ping in HTTP however if you need more options you can enable TCP echo UDP echo or T WAMP or two-way active measurement protocol swamp via the CLI the server section is the IP or fqdn that you are trying to monitor them listening to would mean that both servers need to be unavailable to return a failed verdict so just remember that participants is the wain links that will be used in your SLA Pro packets is pretty self-explanatory it can be disabled if no health checks or probes are needed particularly during troubleshooting the SLA targets here this is your settings for latency jitter packet loss and these are used to determine your quality of link think mas score for VoIP your link status is your you can define your check intervals your failures before inactive and your restore link settings to determine when it is safe to fill back to a certain link really these are meant to help you avoid flapping update static route is only relevant if they can pick if config has a static route pointed towards the SD Wain interface another thing I'd like to show you is in this section we're showing you the current values on the right hand side to allow you to make informed decisions on your changes note that we're capturing sub-millisecond values that can be used in case you have applications that are highly sensitive to latency or jitter for instance business critical applications now we're going to show you the last section which is the XS deal and rules which steer or direct traffic based on the rules that you define these are processed top-down like a firewall rule but it's important to note that in order for traffic to pass there must be security controls in place to allow it the ability to create Sdn rules and create the corresponding security policies rules in the same place to protect the traffic this is the advantage that Fortinet brings to the table now let's take a look at an SD ran rule itself to see what makes it tick so we'll go ahead and just look at the RingCentral rule and as expected there's a lot of different variables here we can set up things like source address your user groups applications and the internet service address is something that's pretty cool here because you don't have to make the configurations or decisions by yourself through through an agreement the fortinet has we're able to keep the list of dynamic IP pools and ranges for things like Microsoft Azure office 365 Google AWS what-have-you and we can make those decisions for you just makes it a little bit easier for you to set up your st1 rules and this is especially critical if you deal in these these cloud spaces a lot if you have a lot of infrastructure in the cloud the next section is outgoing interfaces and this allows you to determine the strategy that you can that you're going to use so the first one they're going to look at here is manual and what manual does is it forces traffic over a specific link and this can be your your most preferable link this is for business critical applications and traffic that you want to make sure that are always steered over a specific link this quality determines the link based on the criteria of the measured SLA chosen this is this is your health checks what is the lowest cost SLA and if you remember earlier where I said that the cost can be 0 or 10 this is what determines that so if they're all set the same they're actually processed by top down whichever one was added to the rule first and the order of these can actually be edited or changed at any time the maximized bandwidth SLA actually uses all members all interfaces as long as they meet the SLA check set and the traffic is balanced in a round-robin set so what we're going to do now is take a look at some of the SD lan rules that we already have in place the the first one that we're gonna look at here is the guest rule and what the guest rule is doing is sending all guest traffic over the LAN 1 link and this is an important rule to look at because maybe your win 1 is a expensive MPLS or cost based circuit and you don't want to force things over that link in the event of a failure so what this is going to allow you to do is in the event of a failure you can failover to commodity broadband and your guest traffic may be impacted but your business critical traffic is staying up and going the second rule that we're going to look at here is ringcentral and this is using lowest cost and that's based on the thresholds that you'd set up for 80 millisecond latency 5 millisecond jitter threshold and 1% packet loss and what's important to note on this one is if both circuits fail or both connections fill the SLA check the most preferable buy cost circuit will be used in this case it's cloud VPN one the next one we're gonna look at is internal voice and what this is doing is using the best quality strategy and it's spraying the load over the four different VPN connections spread across the different hubs so VPN 1 and 2 and hub 1 a VPN 1 and 2 on hub 2 not going to go a lot into this but this is for voice to voice calls so the next one we're going to look at is the implicit rule so what the implicit rule is is if no SD win is rules in place for your traffic it will fall down to the implicit rule and if you think of a firewall rule the implicit rule blocks all traffic that is not explicitly allowed in SD when where the intense assistir traffic you likely don't want to block your traffic flat-out so if there's no corresponding policy for the traffic it will instead be load-balanced be the implicit rule if a valid route exists to the SD win interface and there's a number of options here that the implicit rule has and these include your your source IP which is the default you can do it by source and destination you can do it by spillover which is essentially a threshold set for each interface that determines when traffic should move or spill to the next link you can also do session based in session based is they are based on the weight you can also do volume which is measured based on the bandwidth ratio among the other Sdn members remember all of this can be configured individually if you need to for granularity and so what we'll go ahead and look at here is you're actually security policies your firewall policy is protecting your SD way in traffic and while we have it in interface view here we're gonna look at this in sequence of you because that more resembles a traditional firewall policy and the way for Dan it does it is each line is essentially a policy which you may call a rule and now they're essentially the exact same thing but we just wanted to call out the distinction here so your interfaces can be the underlays which is the actual interfaces they could be an overlay like VPN or they can be the virtual interface such as SD wane which includes all of your different interfaces so the first rule that we're looking at here is the guest rule and so what this rule is doing is forcing guests traffic out just one interface and that's when one port 3 here this is impressing specific security policy enforcing the guest traffic to only go over that specific link because we if we substitute it here we substituted SD LAN for the interface what that would allow it to do is the traffic could utilize all of those different links inside of that s dewayne overlay interface and possibly use a circuit that is more expensive or has some costs associated with it and and that's not what we want to do the intention here is to from a hierarchical order that guest network policy is above SDRAM because this is forcing traffic if it meets that policy if it meets that criteria to only go over LAN 1 and this second policy here is our actual Sdn policy and so if you hover over the actual SD LAN interface here you can see all the members their status the load balancing algorithm used and there's some other variations on this policies to lock it down than just strictly out to the Internet so well it's important to note that you can configure all of this through the FortiGate SAR next-gen firewall it's the basis of you know what we built our company on but it's important to note that for larger networks for more distributed networks that need to scale the use of our 40 manager product to orchestrate all of this which will showcase later it can be utilized for again those larger scale more distributed networks so that concludes our overview of SD way and 40 gig GUI so now we'll be doing an overview of a typical scenario in a retail location where we're sending traffic out from branch 1 to the internet and we're using a specific application in this instance it is ring central and RingCentral is a cloud hosted voice over IP service will be doing the lowest we'll use from the lowest cost SLA strategy and sending traffic over to VPN links VPN 1 and VPN 2 and here's a closer look at that topology even remember in the previous section we had already had rules set up for RingCentral and there using the lowest-cost strategy now as we'll see here both links had the same cost associated with them which was zero so they'll be using the most preferred length which in this case is VP and one and two and they use most preferred if they both meet the SLA which they currently do and so looking at the logs if we have a custom view set up for RingCentral and if we switch it over to real time view we can see that RingCentral has been using the cloud VPN one and so what we're gonna do here is introduce a problem we're going to introduce some latency using a free and open source program called when emulator so logging into the RAM emulator web console what we can do here is introduce a 200 millisecond delay we can introduce latency and we can see what that does to our connection so logging back into the FortiGate interface into performance SLA we can see that some things have changed we'll see those real-time statistics up at the top graph of the last ten minutes it's important to note here that the the variables shown at the bottom that show that they're not meeting SLA that's a snapshot in time those can be refreshed by going to performance SLA and then they will also update while you can continue to see the last ten minutes of our win performance over the last ten minutes in real time so what we're going to do here is we're going to go to the logs and we're gonna see what has changed from that view and so what we can see here is cloud VPN - is now the destination interface it was a seamless switchover because of that latency that was introduced but what happens if we take away that issue so if we remove the 200 millisecond latency and go back down to 15 and apply those settings what we'll see here as we log into the FortiGate interface is that that value starts to change for win one we'll start to see that now when one becomes again the preferred destination because this is now within that SOA variable and both of them reading SASL a variable now and so while we use ringcentral for this keep in mind that this can be used for any business critical application in retail you know you may not be using ringcentral inside of a restaurant but this is really to be shown how you can use the lowest cost strategy to help protect your business applications to your business critical applications inside of a branch inside of a retail location so that concludes our demo of lowest cost and now we're going to go into for the manager SD Wham so to take a look at this let's let's review let's review the topology as we start to dive into how you can leverage for the manager to orchestrate your SD win and so if you remember in the previous demo in branch 1 when we logged into it we got a warning message that said this was managed by 40 manager and so what we're going to do here is highlight the ability to deploy a new SD win template to branch to that previously didn't have any SD win in place as we as we log into the for the manager here we'll see that it's set up in a Don configuration by default it's not everything would be in route but here we're setting up in a Dom configuration which is particularly helpful in large distributed enterprises or really important in multi-tenant type scenarios and it's just a good way to allow you to logically separate your devices for management and administration so as I said will be will be managing two different devices here before the gate 1 and 4 to gate branch 1 and 48 branch 2 and so the that you see here is a short nomenclature for florida game and you may see a couple other ones here and we may even have referenced some fmg being 40 manager and faz faz 40 analyzer if you're a fan of Jeremy Clarkson you know you got the humor in that one so then we're going to go into into SD when the template manager so when assign devices we see here that the FortiGate branch 1 is the only one assigned that's the only one we have out there but if we go into SD man templates you can see that we have two SD when templates more for branch and one for hub so it's also important to know and actually this is something that I use often is importing of SD win templates and why this is important is remember in the beginning when we were in the FortiGate GUI and we were building st wind there well if you do build sd1 and it's it suits your needs and it can be used for a template you can directly import that from a FortiGate and then use that inside of water managers a template but for the manager here has everything that we need so we're gonna go ahead and cancel out of this so what we'll see here is that in yes they went templates it's essentially a carbon copy of what we saw on the FortiGate with the little different variants on how you view things so CSE land rules performance SLA is the interface members really everything you need to build an ST wind policy and that's that's by design it's supposed to be by design to mirror kind of what we see on the FortiGate so next we just have to decide it - an advice device and so what we do here is create a new one pic branch - and then we assign the specific branch st wind template that we've already built and you can see all the interface mapping is there so our next step is to actually assign a security policy because remember SD win is just the intelligent traffic steering it's not inherent security and so that's where Fortinet comes in and builds in our security policies on to this so we go into policies and objects so we can either build or in this case we already have it built and deploy our specific branch security policies so we see two here that are relevant we have branch no st lan and we have branch st win and currently the the branch two has a wide open Internet policy we don't want that right we want to mirror what we have on branch one and so in branch one again we see the policies are there and so what we're gonna do is install it so go to device manager and then we go to the install wizard so for the install wizard we're gonna select policy package and device settings and what this is gonna allow us to do is remedy the entire configuration of that branch so we'll hit next we can go ahead and select both but FortiGate branch one shouldn't have any policy changes to make so you'll get a preview you can skip past this and what you see here is that again branch one has nothing to do so we'll just select branch 2 this is going to be showing you a real world view this is the actual time to push this policy configuration down as you can see I barely get out my sentences before this is all just completely done and so once we finish this out we can go to monitor and we can see our brand-new SD Wang connection is up in a nice map view we can see that it's up here now branch two in Toronto branch one is in Kansas City our hub one our hubs are on here hub one is in San Jose and hub two is in Dallas Texas so going into table view we can get a little more information on this and so let's let's let's take a look at table view and see what we can see for branch one so we see our members upload download we see SLA information and the specific SLA s that are being being used in this case so if we click into this we'll see even more information and this is a detailed view that's available for up to the last 24 hours of information and so we you can change timelines there's per SLA packet loss jitter and latency statistics and again this is all available here all customizable you can change refresh rates change your polling intervals it's it's all customizable and and what you'll notice here is that you may have seen on a foreign manager landing page that we had 40 analyzer features and normally these aren't here but as of a version in five six this has been available to manager for the analyzer just for ease of use and and consolidated visibility which is great and especially applicable here because we can jump straight into logs we can jump into our system logs and view system logs such as latency packet loss and jitter and these are the ones coming in from branch WAN and what these can be used is you can build you know charts reports event handlers off of these and speaking of reports we're constantly making evolutions of a reporting structure the SD way and reports weren't available in 5.6 I believe the SD win reports came in in 6.2 but they can be used to build from your chart library they can be used to build your specific SD win reports in 40 analyzer and so let's take a look at the e-40 analyzer report and so these reports what they give you is a lot of pre-built knowledge is going to be very important for you to make them in our decisions on critical traffic where to steer your traffic how your links are currently being utilized and this is all available through the Forty analyzer which in this case is built into the 40 manager and again 40 manager is our it's our single pane of glass for management and administration in large distributed enterprise networks and multi-tenant environments and it allows us to scale to hundreds or even thousands of devices in an easy template approach using Xero touch provisioning which we won't touch on here but we have a lot of content on that and can surely do another demo walk through of that at a later date so before we get into the next demo let's just do a quick overview of IPSec VPN topology so the pretty standard topology that you'll normally see is a hub-and-spoke where the hub is serving in the main aggregation point for VPN tunnels from the sites now each site creates an independent tunnel to the hub not to each other but this can cause some undesirable effects such as latency and keep in mind that at the hub site it may use additional bandwidth so another topology is partial mesh and what this is is similar to hub-and-spoke but it's a middle ground where some of the sites create a VPN tunnel between each other and then the third one and then obviously the most complex one is a full mesh and while this provides great resiliency redundancy with connections between all of the different spokes it also is not really that scalable and so we don't really see this that often but what we do see is a DV pn or auto-discovery VPN that we mentioned earlier and what this is is dynamic tunnels or shortcuts and this brings in the simplicity of hub-and-spoke with that full efficiency of the full mesh VPN architecture and this ad VPN architecture is what is going to be used in our next demo so let's take a moment to review the topology once more so again we have branch 1 and we have branch 2 and in this demo we're going to be making a sip call between branch 1 and branch 2 via ATV PN so we're going to be dynamically generating these tunnels from our branches to our head ends at the data center so let's go ahead and jump in at monitoring here so if we look here at the IPSec monitor we can see that all six VPN tunnels are up there all available VPN one VPN to hub VPN one VPN to and hub to VPN one and VPN to so if you remember in the SD win rules what we have set up here it's using best performance as determined by our internal SLA for VoIP and so if we go into a performance SLA what we can see here is all of the connections they're color-coded for easy reference or if you just hover over there you can see the representation as well we can also see the top level SLA for latency the SLA target and where the hubs are in comparison to their SLA target so what we're going to do now is we're going to go hop into our Boone two boxes we're going to already pee into those and do a little more in-depth analysis so once we've established the connection on our bundu box we're going to use our soft phones and establish a connection between the two devices and so this is a sip connection being established via IP address so 10 1.2 10 the 10.1.1.10 and the receiving soft phone is set to auto answer and so once these have established we'll go back to our GUI and in IPSec monitor here what you'll notice is an additional VPN tunnel with these zero appended and this is the new tunnel dynamic tunnel or shortcut created by 80 VPN for this session so now let's log into 40 manager so in 40 manager in VPN manager if we go to monitor and we filter for branch one we're gonna see that same thing we're gonna see that new appended VPN tunnel that was created via 80 VPN so now let's let's introduce some latency to the equation and so once we've changed this from 15 to 150 milliseconds and hit apply on a win emulator we can go back into the 40 game and we can look at our performance SLA and so now what we see for performance SLA is that the VPN - is now having the preferred SLA so it's meeting the latency requirements and so what that means is if we go back into our monitor session we should be able to see a change here and we do we see hub 1 VPN 2-0 which is a new VPN created through 8 evpn now established on hub 1 VPN 2 so now let's log back into our Ubuntu clients we can see that the call is still connected and this is despite the fact that we've seen a switch between VPN connections so this is this is the end of the demo for this and this demonstrated ATV PN and sip call connectivity between different branches so before we move on to QA I just like to do an overview of what we talked about today so we did an overview of sd1 and how Fortin it solves the challenge of security which is not a given with all s teaming offerings by combining st win into our best-in-class next-generation FortiGate solution we solve that challenge we also reviewed for the net secure SD win within the FortiGate by reviewing configurations in the FortiGate GUI and then we moved on to a use case demo for SD win using a cloud hosted VoIP service and then we reviewed how we would scale this and the way you scale this is using 40 manager so this allows companies distributed enterprises multi-tenant solutions to scale to one tens hundreds or even thousands of sites in a template and approach and this is critical for retail right to keep things simply keep simplicity and have zero touch deployment the last use case that we looked at was a demo for SD LAN using ad VPN and generating dynamic tunnels dynamic hub 2 spoke tunnels using ad VPN to keep a sip call connected even though we failed over two different VPN connections so that was what we had for the demo day today I hope you enjoyed it I hope it provided you some insight into what the sdram product is for for the net and how this can help you in retail remember the examples given today are just for that they're just for example purposes only and there's many other use cases that are applicable to your business and in retail there's this is a very full-fledged solution and again I cannot stress enough that it's integrated into every single firewall large or small it's a feature that you just turn on and it can be scaled effectively on a one by one basis or as we said earlier to many many sites via our Florida manager orchestration the bottom line being here for retail is that MPLS is expensive in commodity broadband is becoming more and more widely used but it doesn't provide these security assurances and resiliency that most people expect if there are business critical applications that require four nines or five nines you may still have MPLS in place but for those that may be able to sustain a little bit of performance impact or maybe even for those that don't Sdn provides the ability to provide that business resiliency to provide that flexibility and to provide that cost savings by combining multiple low-cost broadband links into a single SD win overlay thank you very much we appreciate you for joining
Info
Channel: Fortinet
Views: 3,324
Rating: undefined out of 5
Keywords: Fortinet, SDWAN, cybersecurity, retail security, IT, information technology, Retail Security, SD-WAN Demo, Fortinet Demo, fortinet sd-wan, sd-wan fortinet, Palo Alto Networks, Check Point Software, Juniper Networks, Oracle Security, Cisco Secure, Sonic Wall, WatchGuard, McAfee
Id: GCTmbkcqWTQ
Channel Id: undefined
Length: 34min 14sec (2054 seconds)
Published: Mon Apr 27 2020
Related Videos
128 Technology Networking Platform and SD WAN
Tech Field Day
2.9K
Fortinet Security Fabric: End Point Focused – Client/AP/Gate/Sandbox - S04E03 TGIF Webinar
Exclusive Networks NA
801
Cloud Security Automation: From Infrastructure to App | SANS Cloud Security Summit 2019
SANS Institute
1.8K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Fundamentals of SD-WAN
Kevin Wallace Training, LLC
126K
Fortinet 6.4 Secure Web Gateway Deployment Use Cases | Secure Web Gateway
Fortinet
14K
Fortinet’s Intuitive Secure SD-WAN Orchestrator | Fortinet Secure SD-WAN
Fortinet
5.2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.