Optimizing Traffic Load Balancing and Network Security with NGFW SD-WAN Configuration

NGFW May 19, 2023

Optimizing the configuration of SD-WAN on NGFW devices is crucial for managing the load balancing traffic across multiple upstream of network service providers. This solution helps improve internet usage efficiency, maintain network stability, and protect user data and sensitive information. Our primary focus is to avoid overloading on a single ISP that could disrupt network performance and ensure the security of the data we handle.

After a thorough evaluation, we have chosen SD-WAN on NGFW devices as the solution for ISP load balancing. SD-WAN enables intelligent management of network traffic through multiple internet connections from different ISPs. The NGFW device functions as an advanced firewall to protect the network from security threats.

With this solution, we can optimize internet usage, maintain network stability, and protect network security.

What is NGFW?

NGFW is a more advanced firewall than conventional firewalls because it has the ability to inspect layer 7 of the OSI model. With this capability, NGFW can identify and block more complex attacks, such as application-based attacks and threats that disguise themselves as legitimate network traffic. In addition, NGFW can also integrate with other security technologies such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Sandboxing, providing an additional layer of security to protect the network from more sophisticated attacks.

In this context, an NGFW integrated with SD-WAN solutions will provide better network security and more optimal bandwidth utilization efficiency. By combining the security features of NGFW and the traffic load balancing and optimization capabilities of SD-WAN, organizations can improve their overall network security and performance.

Why is the SD-WAN solution on NGFW devices the choice for us to solve ISP load balancing problems?

  • More optimal load balancing: In setting up load balancing, SD-WAN solution on NGFW devices can optimize internet connection usage by intelligently and evenly distributing traffic load among several available internet connections. This can improve network performance and prevent over utilization that can cause network disruptions.
  • Better connection redundancy: In the event of a failure in one or more internet connections, SD-WAN solution on NGFW devices can automatically switch to available internet connections to maintain network availability and avoid downtime.
  • Higher security: SD-WAN solution on NGFW devices has advanced security features that can protect networks from cyber attacks and other security threats. NGFW can monitor and analyze network traffic comprehensively, and with Deep Packet Inspection (DPI) capability, NGFW devices can identify and block network security attacks before they reach endpoints.
  • Easier management: SD-WAN solution on NGFW devices has a user-friendly and easily managed interface, making it easier for network administrators to configure and monitor networks.

Introducing NGFW SD-WAN Configuration

NGFW SD-WAN configuration is a solution that can be used to facilitate load balancing on ISP internet connections. In this configuration, the NGFW device (Next-Generation Firewall) is equipped with SD-WAN technology that allows for automatic and efficient traffic management on the network. By using this configuration, we can prioritize and distribute traffic on networks connected to multiple ISPs evenly, avoiding overload on one ISP.

Some key features that make NGFW SD-WAN the superior choice for ISP load balancing are its ability to manage traffic automatically, monitor network performance in real-time, and prioritize important traffic. In addition, NGFW SD-WAN is also equipped with high security features such as firewall and data encryption to protect the network from attacks.

High Level Network Topology


NGFW SD-WAN Configuration Guide

Here are the steps to configure an NGFW SD-WAN for ISP load balancing:

  1. Create SD-WAN Interface
  • In the FortiGate Web Interface, go to Network > Interfaces.
  • Click Create New > Interface.
  • Select the SD-WAN interface type and click Next.
  • Give the interface a name, select Virtual WAN Link, and configure the IP address.
  • Add all the ISP connections that will be used on the SD-WAN interface.
SD-WAN Interfaces

2.  Create SD-WAN Members

  • In the Network > SD-WAN > Members menu, click Create New.
  • Enter the member name and configure the settings as needed (e.g. select the appropriate interface, set static routes, etc.).
SD-WAN Zones

3.  Configure SD-WAN Rule

  • In the Network > SD-WAN > Rules menu, click Create New.
  • Configure the rule name and select the SD-WAN interface that was created.
  • Select the desired load balancing algorithm (e.g. round-robin, spillover, etc.).
  • Add all the SD-WAN members that were created to the rule.
SD-WAN Rules
Load Balancing Algorithm

4.  Configure Firewall Policies

  • In the Policy & Objects > IPv4 Policy menu, create firewall policies to allow internet access.
  • Select the appropriate source and destination addresses, and select the SD-WAN interface that was created.
  • Configure the desired action (e.g. allow, deny, etc.) and save the configuration.
Firewall Polices - SD-WAN Zones

5.  Configure Security Profile

  • In the Security Profiles menu, click Create New to create a new security profile.
  • Select the desired security profile type, such as Antivirus or IPS.
  • Configure the settings on the selected security profile, such as selecting signatures for IPS or configuring scanning options for Antivirus.
  • In the Policy & Objects > IPv4 Policy menu, create firewall policies to apply the security profile to traffic passing through the SD-WAN interface.
  • Select the appropriate source and destination addresses, select the SD-WAN interface that was created, and set the action to "Inspection."
  • Select the security profile that was created in the Security Profiles option.
  • Save the configuration and ensure that the firewall policies are active.
Security Profile - SD-WAN Zones

With SD-WAN configuration on NGFW, ISP connection load balancing can be set up and automatically managed to ensure optimal bandwidth utilization and prevent network disruptions. In addition, the SD-WAN solution has advanced security features to protect the network from cyber attacks and other security threats. This configuration can be customized to the user's needs and preferences, such as adding more SD-WAN members or changing the load balancing algorithm.

Best Practices for NGFW SD-WAN Configuration

There are some tips and best practices for configuring NGFW SD-WAN for ISP load balancing:

  • Prioritize the most stable and fastest connections. To ensure the best connection, prioritize connections with better speed and stability than other connections.
  • Use the right load balancing algorithm. There are various types of load balancing algorithms, such as round-robin, weighted round-robin, least connections, and weighted least connections. Choose the algorithm that best suits your business needs.
  • Set maximum bandwidth limits. Determine maximum bandwidth limits for each WAN connection, especially to avoid unbalanced usage.
  • Use Quality of Service (QoS) features. Use QoS features to prioritize traffic based on application type and business needs, such as allocating more bandwidth for critical applications.
  • Perform regular testing and monitoring. Perform regular testing and monitoring to ensure that your configuration is working properly and providing optimal connections.
  • Choose an SD-WAN solution with adequate security features. Make sure the SD-WAN solution you choose has adequate security features, such as firewall, VPN, and protection against DDoS attacks.
  • Consider using multiple NGFW SD-WANs. If your business requires highly critical internet connections and needs high-level security, consider using multiple NGFW SD-WANs so that connections can be redundant and there is a backup if the main connection fails.
  • By following these tips and best practices, you can ensure that your NGFW SD-WAN settings for ISP load balancing are optimized for your business needs and provide the best possible internet connection.

Challenges Faced and Solutions in Simplifying ISP Load Balancing with NGFW SD-WAN

There are several challenges in simplifying ISP load balancing with NGFW SD-WAN, including configuration complexity, availability of internet connection devices, and security. However, we have identified solutions to overcome these challenges and ensure a smooth and secure user experience:

  • Configuration Complexity: We collaborated internally with our team to ensure a comprehensive understanding of NGFW SD-WAN configuration requirements, including performing several round of testing and fallback. With thorough planning and intensive collaboration, we can simplify the configuration process and optimize traffic distribution across different ISPs.
  • Availability of Internet Connection Devices: We engaged closely with ISPs to ensure the availability of internet connection devices with sufficient capacity and included this as part of agreed metrics. Our goal is to reach agreements that meet our configuration needs and maintain a seamless configuration process and optimal user experience.
  • Security: When adopting SD-WAN solutions, security remains a top priority. We conduct thorough evaluations of the security features offered by NGFW SD-WAN solutions and select robust solutions to protect the network from cyber attacks and other security threats. Implementing advanced security measures such as encryption, authentication protocols, and Intrusion Prevention Systems will be our primary focus to safeguard network and sensitive user data.

Conclusion

NGFW is a more advanced firewall compared to conventional firewalls, as it has the ability to inspect layer 7 of the OSI model. In this context, an NGFW integrated with an SD-WAN solution will provide better network security and more efficient bandwidth utilization. SD-WAN solutions on NGFW devices can optimize internet usage by intelligently and evenly distributing traffic load among multiple available internet connections, improving network performance and preventing over utilization that can cause network disruptions. Additionally, this solution can automatically switch to available internet connections to maintain network availability and avoid downtime. SD-WAN solutions on NGFW devices have advanced security features that can protect networks from cyber attacks and other security threats. NGFW SD-WAN configurations are a solution that can be used to facilitate load balancing on ISP internet connections by prioritizing traffic on networks connected to multiple ISPs to distribute it evenly and avoid overloading any one ISP.

Join us

Scalability, reliability and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers at all levels and  if solving hard problems with challenging requirements is your forte, please reach out to us with your resumé at careers.india@halodoc.com.

About Halodoc

Halodoc is the number 1 all-around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke.

We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 1500+ pharmacies in 50 cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allows patients to book a doctor appointment inside our application.

We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, Gojek, and many more. We recently closed our Series B round and In total have raised USD$100million for our mission.