Fortinet SD-WAN: Why We Chose FortiGate for Our Managed Service

Why Does the SD-WAN Platform Choice Matter?

Not all SD-WAN solutions are created equal. The platform your provider deploys determines everything from security posture to management capability to long-term scalability. Some SD-WAN vendors focus purely on connectivity and overlay networking. Others bolt on third-party security as an afterthought. A smaller number integrate networking and security natively in a single platform.

When PCONNECT evaluated SD-WAN platforms for our managed service, we assessed every major vendor in the market — Fortinet, Cisco Viptela, VMware VeloCloud, Palo Alto Prisma, and several others. We chose Fortinet FortiGate. This post explains why.

What Sets Fortinet Apart in the SD-WAN Market?

Fortinet has been named a Leader in the Gartner Magic Quadrant for SD-WAN for four consecutive years (2021-2024). But industry analyst rankings only tell part of the story. What matters to us — and to our customers — is how the platform performs in real Australian deployments.

Security-first architecture

Most SD-WAN vendors started as networking companies and added security later. Fortinet took the opposite approach. FortiGate began as a next-generation firewall — one of the most widely deployed firewalls globally, with over 750,000 units shipped — and added SD-WAN functionality to the same platform.

This distinction matters because the security features are not bolted on. They run natively on the same hardware, processed by the same custom ASIC (Fortinet's Security Processing Unit, or SPU), and managed through the same policy framework. There is no performance penalty for enabling firewall inspection on SD-WAN traffic, because the hardware was designed to do both simultaneously.

In practical terms, a FortiGate 100F can deliver 20 Gbps of firewall throughput and 2 Gbps of threat protection (IPS, antivirus, application control) concurrently with SD-WAN traffic steering. This means enabling full security inspection does not create a bottleneck — a common problem with software-only SD-WAN platforms that rely on general-purpose CPUs.

Integrated security stack

Every FortiGate appliance includes, at no additional hardware cost:

Next-generation firewall (NGFW) — stateful inspection, application control, user identity awareness
Intrusion Prevention System (IPS) — signature and anomaly-based detection for known and emerging threats
Antivirus and anti-malware — inline scanning powered by FortiGuard threat intelligence
Web filtering — URL categorisation and blocking across 78 categories
SSL/TLS inspection — decryption and inspection of encrypted traffic (critical given that over 95% of web traffic is now encrypted)
DNS filtering — blocking malicious domains before connections are established
Zero Trust Network Access (ZTNA) — application-level access control based on user identity and device posture

With most competing SD-WAN platforms, achieving equivalent security requires deploying separate firewall appliances, subscribing to additional cloud security services, or accepting gaps in visibility. With FortiGate, the full security stack runs on the same device that provides SD-WAN connectivity.

How Does FortiGate Handle SD-WAN Traffic Steering?

SD-WAN traffic steering is the core function that determines how well the platform performs in production. FortiGate uses a sophisticated approach that goes well beyond simple link failover.

Real-time path monitoring

FortiGate continuously measures latency, jitter, and packet loss on every configured WAN link using active probing (ICMP, HTTP, or TCP probes to configurable targets). These measurements are taken every 500 milliseconds by default and feed directly into the traffic steering engine.

When a link's performance degrades below configured thresholds — say, latency exceeds 100ms or packet loss exceeds 1% — FortiGate automatically shifts affected traffic to a better-performing link. This failover happens in under one second, which is fast enough to maintain active voice calls without noticeable disruption.

Application-aware routing

FortiGate identifies over 3,000 applications natively using deep packet inspection. Traffic steering rules can be defined per application or application category. Common configurations include:

Voice and video (Teams, Zoom, Webex): Route via the link with the lowest latency and jitter. Fail over immediately if quality degrades.
Business-critical SaaS (Salesforce, SAP, cloud ERP): Route via the highest-bandwidth link with direct cloud breakout.
Bulk data transfer (backups, replication): Route via the lowest-cost link, tolerating higher latency.
General web browsing: Load-balance across all available links.

SLA-based link selection

FortiGate's Performance SLA feature allows administrators to define measurable thresholds for each link and each application class. If a link fails to meet its SLA — for example, if latency exceeds 150ms or jitter exceeds 30ms — traffic is automatically moved to a compliant link. When the original link recovers, traffic is moved back.

This is fundamentally different from simple failover, which only triggers when a link goes completely down. SLA-based steering detects degradation before it causes application problems.

What Role Do FortiManager and FortiAnalyzer Play?

Deploying FortiGate appliances at every site is only part of the solution. Managing and monitoring them at scale requires centralised tooling. This is where FortiManager and FortiAnalyzer come in.

FortiManager: centralised orchestration

FortiManager provides a single console for managing every FortiGate device across the entire network. For a PCONNECT customer with 50 sites, FortiManager enables:

Template-based provisioning — define SD-WAN and security policies once, deploy to all sites or site groups with a single click
Zero-touch deployment — new FortiGate devices automatically connect to FortiManager on first boot, download their configuration, and join the SD-WAN fabric without manual intervention
Firmware management — schedule and deploy FortiOS updates across all devices from a central console, with staged rollouts and automatic rollback if issues are detected
Configuration compliance — continuously verify that all devices conform to the approved configuration baseline and alert on drift

FortiManager can manage up to 10,000 FortiGate devices from a single instance. For PCONNECT's managed service, this means we operate a single management platform across all customer deployments — ensuring consistent operational procedures and rapid response times.

FortiAnalyzer: visibility and reporting

FortiAnalyzer aggregates logs, traffic data, and security events from every FortiGate in the network. It provides:

Real-time dashboards — WAN link utilisation, application bandwidth, security events, and SD-WAN health metrics across all sites
Historical reporting — bandwidth trends, application usage patterns, and security incident timelines for capacity planning and compliance
Threat detection — correlation of security events across sites to identify coordinated attacks or lateral movement
Compliance reporting — pre-built report templates for standards including ISO 27001, PCI DSS, and the Australian Essential Eight

For our managed service customers, FortiAnalyzer feeds directly into PCONNECT's monitoring platform. Our network operations team receives proactive alerts when any metric — link health, security events, device health — falls outside normal parameters. This allows us to identify and resolve issues before they affect business operations.

How Does the Fortinet Security Fabric Extend Beyond SD-WAN?

One of the strategic advantages of choosing Fortinet is the broader Security Fabric ecosystem. FortiGate is not a standalone product — it is the anchor of an integrated security architecture that spans the entire network.

Relevant components include:

FortiSwitch — Fortinet-managed switches that extend FortiGate security policies to the LAN, managed through the same FortiManager console
FortiAP — wireless access points managed by FortiGate, applying consistent security policies to Wi-Fi traffic
FortiClient — endpoint security agent that provides VPN connectivity, endpoint detection and response (EDR), and ZTNA enforcement
FortiGuard — cloud-based threat intelligence service that provides real-time updates to all FortiGate devices (over 1 billion security updates daily across the FortiGuard network)
FortiSASE — cloud-delivered security for remote users and unmanaged devices

This means a business that starts with FortiGate SD-WAN can extend the same security framework to their local network, wireless, endpoints, and remote workers — all managed through FortiManager, all reporting to FortiAnalyzer.

What Does PCONNECT's Managed FortiGate SD-WAN Service Include?

Choosing the right platform is essential, but the managed service around it is what determines the customer experience. PCONNECT's managed FortiGate SD-WAN service includes:

Design and scoping — site surveys, carrier availability checks, and solution architecture tailored to each customer's requirements
Multi-carrier underlay — wholesale broadband, Ethernet, and mobile services across Aussie Broadband, AAPT/VOCUS, and Telstra, selected per-site for optimal performance and cost
Hardware supply and configuration — FortiGate appliances sized for each site, pre-configured in our lab and shipped for zero-touch installation
24/7 monitoring — proactive monitoring of all WAN links, SD-WAN tunnels, and security events through our Australian-based network operations centre
Ongoing management — firmware updates, policy changes, and configuration adjustments included in the managed service
Security management — FortiGuard subscription management, threat response, and security posture reporting
Quarterly business reviews — bandwidth utilisation analysis, security event summaries, and capacity planning recommendations

Frequently Asked Questions

Is Fortinet FortiGate suitable for small businesses with only 2-3 sites?

Yes. The FortiGate 40F and 60F are designed specifically for small branch offices and deliver the same SD-WAN and security capabilities as larger models. A 3-site deployment with FortiGate 60F appliances and centralised FortiManager is a cost-effective solution that provides enterprise-grade security and SD-WAN functionality without enterprise-grade complexity.

How does FortiGate SD-WAN licensing work?

FortiGate hardware is purchased outright or included in a managed service agreement. The SD-WAN functionality is built into the base FortiOS operating system at no additional licence cost. Security services (IPS, antivirus, web filtering, FortiGuard updates) require a subscription — typically bundled as a FortiGuard bundle. In PCONNECT's managed service, all licensing is included in the monthly per-site fee.

Can FortiGate SD-WAN integrate with existing Fortinet firewalls?

Yes. If a business already has FortiGate firewalls deployed, SD-WAN can be enabled on those devices through a FortiOS upgrade (assuming the hardware model supports it). This avoids the need to replace existing infrastructure. FortiOS 7.0 and later includes full SD-WAN functionality on all supported FortiGate models.

What is the typical hardware lifespan of a FortiGate appliance?

Fortinet typically provides hardware support for 5-7 years from the date of purchase, with firmware updates and security patches throughout. Most businesses refresh FortiGate hardware on a 5-year cycle, aligning with typical managed service contract terms.

How does PCONNECT handle FortiGate firmware updates across customer sites?

Firmware updates are managed centrally through FortiManager. We follow a staged rollout process: updates are first deployed to a test environment, then to a pilot group of customer sites, then to the broader fleet. Updates are scheduled during maintenance windows (typically after business hours) and include automatic rollback capability if any issues are detected. Critical security patches are deployed on an accelerated timeline in accordance with the Australian Signals Directorate's Essential Eight patching guidelines — within 48 hours for internet-facing devices.