As most people know, Cisco offers two types of SD-WAN solutions. One is the Viptela SD-WAN professional solution made for telecom operators and medium to large-sized businesses. The other is the Meraki SD-WAN solution designed for general enterprise customers. However, there are still some users who need an SD-WAN solution that can provide advanced security features at the WAN boundary and SD-WAN routing policies, all manageable and deployable locally. This article aims to explore exactly that.

SD-WAN is based on automating the creation of overlay channels, with a controller centrally managing the on-demand forwarding of business traffic through these channels. This ensures monitoring, reliability, security, and quality of service in a wide area network solution. Therefore, SD-WAN solutions have three main elements: building overlay channels, routing and service backup strategies, and global unified management and control. These are the basic elements for a wide area network. Additionally, as an edge device, it also needs to have excellent security capabilities.

Next-Generation Firewalls (NGFW) support the construction of overlay topologies using VTI interfaces through unified management with FMC (Firepower Management Center). They support different topological forms like P2P, Hub-Spoke, Full Mesh, and more to meet various business requirements. These overlay tunnels can have multiple optional forwarding paths, and the underlying layer of the tunnel can be the Internet, dedicated lines, or a combination of both. This results in differences in bandwidth, latency, jitter, and other attributes for different paths. The data transmitted within the tunnel is always encrypted, ensuring overall communication security regardless of the physical lines used.

NGFW also supports policy-based routing based on path detection. This allows users to forward data for specific traffic based on routing principles. These principles can be based on interface priority, link RTT (Round-Trip Time), jitter, packet loss statistics, and can also be manually defined for preferred and backup paths. It's important to note that this path-monitoring-based policy routing can be used for both overlay path selection and physical paths. For users who rely on dedicated lines for their wide area networks, designing routing principles based on physical paths might be more preferable.

FMC serves as a unified configuration and deployment tool for the entire NGFW network. It also offers monitoring, management, and troubleshooting capabilities. The graphical interface of FMC provides an easy-to-understand display of link and overlay status, as well as related statistics. It also includes embedded tools for debugging and troubleshooting.

Under the SD-WAN networking environment, NGFW retains various professional security features and HA (High Availability) deployment capabilities. Key security features such as application identification and control, IPS (Intrusion Prevention System), AMP (Advanced Malware Protection), DNS, and even SASE (Secure Access Service Edge) remain important for users who prioritize border security, cloud security, and data security.

Of course, compared to Cisco's specialized Viptela SD-WAN solution, the NGFW-based SD-WAN deployment may lack advanced link assurance and control management. However, for many wide area network users with simple environments and a need for border security through a professional firewall, but without the need to purchase additional routers for SD-WAN functionality, this approach still holds practical significance.

If you need Switches, Routers, or need more network information, welcome to contact us www.hi-network.com (Email: [email protected])