Securing and Connecting Enterprise Networks with Fortinet SD-WAN and Cloud Integration

I’ve been sitting, staring at a glowing screen with my third coffee in hand — that perfect jittery buzz where clarity kinda meets caffeine overload. After nearly 30 years in networking and security — beginning as a lowly network admin in 1993 wrestling with PSTN multiplexers and pining for the days before the Slammer worm decimated the internet — I continue to be amazed that cloud brought together with SD-WAN has radically changed the way we secure and connect enterprise networks.

Join me, and let me share some hard-fought lessons and practical experiences as I’ve worked with our customers (mostly banks — they have great reason to be paranoid) to onboard the major cloud providers such as AWS and Azure into Fortinet SD-WAN environments.

Cloud Connectivity Needs

First of all, understanding what you need in terms of cloud connectivity is not a box to check. It’s mission critical. If you remember treating network links as though they were delicate soufflé — make the wrong fold and the entire thing caves in. Cloud workloads are what the souffle would be, with turbo-boosters for good measure:

• Multi-cloud environments are the rule
• Traffic patterns are unpredictable
• Security visibility becomes murky very quickly

Here’s the tricky part — when you don’t map your cloud-hosted apps and workloads in detail, you’re flying blind. I’ve seen cloud paths that have the misfortune to transit legacy MPLS links, resulting in latency and security complications. Not ideal.

As we work with our customers, we produce a detailed cloud workload map with PJ Networks. Which apps run where? What dependencies exist? This is the blueprint for SD-WAN integration of making traffic go where it should — and securely.

SD-WAN Direct Cloud

Fortinet’s SD-WAN has evolved from simply routing packets between branch offices. Its native cloud functionality allows your branches to connect directly to clouds (think AWS, Azure, Google Cloud), no more unnecessary hairpinning.

But — and it’s a big but — this direct correlation requires care. Just giving air-routes to the cloud is super exciting, but here’s what can go wrong:

• Misconfigured tunnels leading to traffic bleeding out of them
• Disregarding native cloud security controls
• Bandwidth spikes upsetting QoS

We provision secure tunnels directly from your SD-WAN edge to cloud destinations. Built-in VPN and orchestrated tunnels in Fortinet help us keep fine-grained control of routing — and visibility.

Just recently I helped three banks make zero-trust architectures a reality using this approach. We spun up direct encrypted tunnels that ripped through the hub-and-spoke MPLS model—all traffic to the cloud was pure direct—slashing latency drastically. Banks cheered; the gauges on their monitoring dashboards blinked green as though the speedometer of a finely tuned car had reached the accelerator’s sweet spot.

Branch-to-Cloud Paths

Here’s a pet peeve of mine: a lot of people think of branch-to-cloud as this magic pipe that you can plug into and it goes on forever. Spoiler alert — it’s more like tuning an old V8: you gotta align the timing, fuel mixture, and yeah, everything matters.

Branch-to-cloud connectivity needs constant attention:

• Path selection: SD-WAN determines the optimal path—WAN link, LTE backup or even broadband—based on real-time measurements
• Latency and jitter measurement: Essential for VoIP and video
• Failover setups: No one likes to be down, least of all the banks

I normally establish monitoring that continuously monitors link health, and dynamically reroutes traffic if latency or packet loss exceeds certain thresholds. And a combination of private and public connections delivers enormous freedom without sacrificing safety.

Security Policies

OK, now for the meat of the matter: security policies. If you believe zero-trust is a buzzword, you didn’t survive malware outbreaks like I did — Slammer worm was a reminder that perimeter defenses are great and all, but it’s a fairy tale to think that’s all we need to do.

Uncompromising: Secure Fortinet SD-WAN, Establishing and enforcing security policies for destination-cloud traffic with nothing less than state-of-the-art:

• Micro-segmentation: Contain workloads – don’t let a breach in one part of your cloud blow up the whole thing
• Integration with FortiGate firewalls – For scanning and threat detection
• Unified policy across cloud and branch – No shadow IT caves

There was this one strategic engagement — it was a rather challenging prospect who believed they could just rely on their cloud provider’s security capabilities, to the extent that they weren’t getting alerts. Nope. We front-ended all our instances with Fortinet’s UTM and sandboxing so that we could catch zero-days before they’d even come close to touching our instances. Trust me — Situations where customers rely on the default settings of cloud providers are akin to leaving the door of your car unlocked because it is in a ‘safe’ neighborhood.

Testing

Testing is where most people get it wrong. You can’t just flip a switch and be done with it. Once you have incorporated the cloud into the Fortinet SD-WAN mix, robust validation is key.

We do:

• Branch and cloud endpoint penetration testing
• Performance comparison with synthetic traffic patterns
• Failover tests for link / tunnel down

One anecdote – when we upgraded a bank we found that some tunnels were spuriously dropping packets under load. Snagging that early prevented the client from possibly running into compliance problems. I swear, testing is just like pre-race tuning, small changes can mean the difference between a smooth run and a blown gasket.

PJ Networks Integration

This is where me and my team shine. Here, at PJ Networks, we are about more than simply fitting technology. We are doing the hard work of integrating and validating each piece for you to fit in your specific ecosystem.

• Proper workload mapping so the direct cloud tunnels are both performant and secure
• Configuring Fortinet SD-WAN orchestration for dynamic routing management
• Building security layers that support zero-trust model
• Continuous monitoring and optimization: the network is living and requires patience

And we utilize those Fortinet management consoles for centralized visibility into performance and threat intelligence. You’re looking for real alerts, not noise.

Quick Take

• The complication of the cloud with SD-WAN integration may be a real challenge
• Map your cloud resources before establishing connections
• Take advantage from Fortinet’s direct cloud capabilities for improved routing and lower latency
• Enforce micro-segmentation and zero-trust security policies with zero tolerance
• Test, test, test before you go live
• PJ Networks provides end-to-end integration and supervision to catch the problems sooner

Before I go, a little rant — password policies. So, if you are forcing users to alter complex passwords every 30 days and not coupling that with multi-factor authentication, monitoring, and so on—you’re pissing your users and your helpdesk off. Security isn’t just a checklist. It’s a lifestyle. And the shiny AI-powered security buzzwords that’s supposed to allow me to stop worrying without understanding what is under the hood?

Anyhow, if you’re ready to have your cloud-onboarding secured under the structure of Fortinet SD-WAN — you know what to do. I’ve been around the block enough to know when a network’s about to go down the tubes, and how to get it back on the road faster than you can say oops.

Still feeling a little high from DefCon’s hardware hacking village — but that’s a story for another cup of coffee.

Sanjay Seth
Cybersecurity Consultant at PJ Networks Pvt Ltd