Alex - stock.adobe.com
A deep dive into Fortinet's SASE platform
Despite its strong security foundation, Fortinet's SASE platform lacks a cloud-native strategy and requires teams to stitch the architecture together.
Editor's note: This article is part two in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.
As larger and more significant cyber attacks spread worldwide, many businesses require a strong security architecture for their enterprise networks. Fortinet is on the forefront of providing security-driven networking products.
The company is known for its Fortinet Security Fabric, an architecture of integrated security products that span the broad digital attack surface and lifecycle. At the center of Security Fabric is the FortiOS operating system, which enables a range of plugin products that help customers meet their specific networking and security needs. The FortiGate next-generation firewall anchors Security Fabric.
This plugin strategy is how Fortinet delivers what it calls its Secure Access Service Edge offering, FortiSASE. While FortiSASE may make for comprehensive software-defined WAN (SD-WAN), it's a tough fit for carrying the SASE banner.
How Gartner defines SASE
To better understand Fortinet's SASE strategy, customers should first understand SASE, which converges network and security point services into a unified, global cloud-native service. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic and adaptable service to the digital business.
Attempting to fix emerging business challenges with point services has led to technical silos that are complex and costly to own and manage. Complexity slows down IT and its response to business needs. SASE changes this paradigm through a networking and security platform that is identity-driven, cloud-native, globally distributed and securely connected for all edges, including WAN, cloud, mobile and IoT.
To meet Gartner's criteria, a SASE platform must have the following attributes:
- built on a cloud-native and cloud-based architecture;
- distributed globally across many points of presence (PoPs); and
- supports all edges, including locations, users, clouds and applications.
While we at SD-WAN Experts recognize vendors may take time to implement SASE, we also believe some concrete indication of security and networking convergence in the cloud is necessary for a platform to be considered SASE.
Fortinet's SASE approach: Extend the security fabric
Since 2019, when Gartner proclaimed SASE as the future of networking and security, many vendors have staked their position in the race. Fortinet has been one of them by introducing its FortiSASE architecture.
On its website, Fortinet indicates how it approaches SASE. Here's a key excerpt:
Rather than an isolated, cloud-only approach, FortiSASE offers SASE services as an extension of the Fortinet Security Fabric to extend and leverage the power of FortiOS -- the common operating system that ties the entire portfolio of Fortinet security solutions -- everywhere.
In other words, Fortinet is taking all the hardware and software it developed over the past 21 years to assemble parts and pieces into a SASE model, while downplaying a cloud approach. This approach contrasts what Gartner prescribes for cloud-delivered SASE.
Building a Fortinet architecture one piece at a time
To deploy a Fortinet architecture, businesses start with connectivity. Network teams deploy physical or virtual FortiGate appliances in the enterprise data center (FortiGate 2500E), cloud data center (FortiGate-VM) and branch offices (FortiGate 60E). The FortiGate SD-WAN features are the prime building blocks for SD-WAN. Next, teams deploy FortiClient on remote users' devices to bring them onto the network.
Fortinet doesn't have a product for global connectivity. The WAN only works in a regional use case and doesn't offer SaaS optimization.
Teams should then configure quality of service to make sure applications get the right priority across the network. They will need to buy another Fortinet product, SD-WAN Orchestrator, to view the SD-WAN as a virtual overlay across hubs, spokes and virtual networks and to build full mesh networks for different applications. Otherwise, teams must manage the different SD-WAN tunnels one by one per appliance.
SD-WAN Orchestrator looks at the network as a whole, but it has limitations. For example, it assigns complex object names -- i.e., AAAAA, AAAAB and AAAAC -- to VPN tunnels and other related configuration items. This naming convention makes it difficult for engineers to relate the object name to a physical site, which complicates manual troubleshooting.
Security and management
As for security, Fortinet has convergence. The FortiGate appliances provide advanced security, but they need to be configured in all locations, preferably using FortiManager. Without cloud-based security for remote FortiClient users, teams would need to backhaul traffic through the physical appliance in the data center or the virtual appliance in the cloud data center, acting as VPN concentrators in order to pass traffic through the security stack.
To manage remote FortiClient users, teams will need to install the Enterprise Management Server software on premises and partially in the demilitarized zone to enable communication with the remote FortiClient agents on the internet.
Additional Fortinet products help with appliance management. FortiManager helps manage everything on the network to push policies and configurations to the appliances in an effective manner. It also establishes overlay VPN tunnels and SD-WAN policies that get pushed to the FortiGate appliances. FortiManager doesn't include analysis capabilities, so another product, FortiAnalyzer, provides network analytics.
FortiSIEM is required to aggregate all logs and normalize the information over a single block. If teams want to add multifactor authentication for their Fortinet environment, they'll need FortiAuthenticator to act as middleware for all Fortinet components. FortiDeploy helps teams with zero-touch deployment.
Running the network
Once teams have installed this patchwork of products to connect and secure the network, it's time to run it. If teams want to guarantee high availability, they'll need to double the appliances everywhere to ensure automatic failover. Not only is this approach expensive, but it's also difficult to manage. The network complexity will require companies to have IT staff everywhere they've deployed the IT stack.
Where SASE fits in
In July 2020, Fortinet acquired Opaq Networks and said the acquisition would be key to Fortinet's entry into the competitive SASE space. That vision hasn't panned out. Instead, Fortinet's current SASE approach is its traditional FortiGate-FortiManager-FortiClient story.
The main cloud part of FortiSASE is Secure Internet Access (SIA), which is used with FortiClient or a thin edge called FortiExtender. These products don't support FortiOS integration yet. For SIA, Fortinet currently has one PoP, with four planned by the end of 2021.
FortiSASE doesn't satisfy the technical definition of SASE, but it's a stake in the ground with more to come later. In my experience, Fortinet tells customers that "SASE is a journey."
The strong part of Fortinet's offering is Security Fabric. It has a strong feature set and was named one of three leaders in the "2020 Gartner Magic Quadrant for Network Firewalls." According to Gartner, "Fortinet firewalls are leaders in integrated SD-WAN capabilities with advanced networking, making them top candidates for firewall-appliance-based distributed office use cases."
In terms of a true SASE platform, Fortinet barely has one. Fortinet expected the Opaq acquisition to help, but the integration with Fortinet's strategy proved difficult to achieve.
Fortinet's current SASE offering doesn't include any cloud-native components. It doesn't have a private global backbone or an easy way to connect and optimize SaaS applications. In short, Fortinet's SASE option is a secure SD-WAN with new marketing.
Teams may be drawn initially to Fortinet for the low entry price, but every add-on capability drives up both complexity and price. Fortinet's approach is still appliance-centric and lacks a cloud strategy. If companies already have a Fortinet infrastructure, it is worth consideration as a secure SD-WAN but not SASE.
Gartner emphasizes that a service delivery model based exclusively on on-premises boxes is unable to meet the requirements of an increasingly mobile workforce and latency-sensitive applications. While Fortinet has an impressive list of individual capabilities, serving those capabilities from the cloud edge is fundamental to SASE.