Fortinet has announced a new Next-Generation Firewall (NGFW), the FortiGate 100F. This new firewall also includes SD-WAN capabilities, including support for multiple link types, and application- and performance-based path selection, among other SD-WAN features.
Fortinet is also upgrading its FortiOS operating system to include new SD-WAN features such as support for Forward Error Correction (FEC).
Finally, Fortinet is rebranding one of its custom chips as the SoC4 SD-WAN ASIC, indicating the increasing importance of SD-WAN to Fortinet’s market positioning.
Fortinet’s new NGFW/SD-WAN appliance targets mid-size and large enterprise branches and remote sites. The appliance includes 2 10Gbe ports and 18 1GbE ports.
The spec sheet promises 1Gbps throughput in SSL inspection mode, and 0.8Gbps throughput in NGFW mode.
Fortinet uses IPSec tunnels as its SD-WAN overlay. It says the 100F can support up to 2,500 tunnels per appliance.
In addition to firewalling, the 100F also serves as an SD-WAN edge device. Fortinet says the appliance includes a so-called SD-WAN ASIC to accelerate functions such as application identification. SD-WAN devices must identify applications as quickly as possible to apply the correct policies regarding link choice.
This ASIC also performs SSL inspection (with support for TLS 1.3), as well as malware filtering.
Fortinet calls this chip as the SD-WAN ASIC, but it’s not new. Many Fortinet appliances include two ASICs; one for network processing, and a second for content and security processing. This content ASIC is being re-badged as an SD-WAN chip.
For more on Fortinet’s product architecture and its SD-WAN capabilities, check out the company’s presentations at Networking Field Day 20. The delegates, myself included, made an effort to dig into how Fortinet combines security and SD-WAN capabilities in a single device, and to tease out what real-world performance would look like with multiple security and networking functions active.
In addition to the new appliance, Foritnet also announced FortiOS 6.2, the latest version of its operating system.
New capabilities in 6.2 include Forward Error Correction for voice and video on SD-WAN traffic, link aggregation with packet-based steering, and extended reporting on service-level agreements.
Vendors have taken a variety of approaches to enter the SD-WAN market. You’ve got the pure-play startups such as Viptela (now Cisco), VeloCloud (now VMware) and CloudGenix, among others. These startups helped define the category.
You’ve got WAN accelerators who quickly pivoted into SD-WAN (for example, Silver Peak and Riverbed).
And you’ve got vendors who had some kind of presence at the WAN edge, be it a router, firewall, or other appliance, and added SD-WAN features (in some cases using the most generous definition of SD-WAN).
Fortinet falls into this third category, and I think the company has built a respectable set of SD-WAN capabilities.
As mentioned above, the Networking Field Day crew poked hard at Fortinet’s claims; and as much as you can vet a product without seeing it under real traffic loads, I came away from that session with a better impression of Fortinet as an SD-WAN player than I had going in.
Because there are so many companies in this market, every vendor’s looking for a competitive differentiator. Fortinet clearly sees its ASICs as a way to stand apart—thus the rebranding of the chip.
Most of Fortinet’s SD-WAN competitors run x86 inside the tin, so it makes sense for Fortinet to crow about custom hardware.
Which means that competitors will crow about the price tag on those ASICs, and genuflect to Moore’s Law, and talk up enhancements such as DPDK and other tweaks that can wring more performance out of commodity processors.
Those are valid counterpoints, though I do see two trends that may tilt in Fortinet’s favor.
First, these WAN edge appliances are asked to do all kinds of things: split traffic across multiple links; offer firewall, IPS, malware detection, content filtering, and other security services; build network meshes among branches; and even manage branch switches and wireless APs. As you load more functions onto the box, you need more processing power.
Second, these boxes are going to have to contend with more and more encrypted traffic, especially going to and from SaaS and IaaS applications. If you want to apply SD-WAN policies and perform security inspections, you need to decrypt and re-encrypt, and you have to do it fast.
Those two trends give Fortinet a nice hook on which to hang its ASICs.