Avril 27, 2023

FlexEdge Secure SD-WAN Series Part 1—Getting to Scalability

The challenges of deploying a large, efficient SD-WAN
Tuomo Syvanne

Enterprises and organizations are continuously expanding their operations and opening remote branch sites while modernizing their network infrastructure to achieve maximum efficiency with cloud and hybrid-cloud environments. However, they face a myriad of challenges when implementing large-scale SD-WAN infrastructure, which often results in unwanted compromises between cost and efficiency.

In this four-part blog series, we will detail how the Forcepoint SD-WAN orchestrator, which is an inherent feature of our Forcepoint FlexEdge Secure-SD-WAN solution, solves typical challenges that organizations face when implementing large-scale SD-WAN infrastructure.

To kick things off, let's discuss the challenges organizations face when implementing a large, efficient, and scalable SD-WAN.

One of the biggest hurdles is managing multiple regions with different ISP vendors. This creates a multitude of obstacles, including minimizing costs for internet connections, hardware, and administration, while ensuring low latency and adequate bandwidth between locations. It is also crucial to have immediately available internet lines and the ability to increase bandwidth when bottlenecks occur.

Balancing all these factors often leads organizations to make compromises, which can negatively impact the SD-WAN's overall efficiency and effectiveness. However, with the Forcepoint SD-WAN orchestrator, these compromises can be eliminated. By combining the benefits of HUB and Full mesh topologies, the orchestrator provides a cost-efficient solution that minimizes manual configuration requirements for administrators and allows remote locations to leverage cost-effective hardware. Additionally, it reduces latency and makes the most efficient use of available bandwidth, making it an ideal solution for large-scale SD-WAN implementations.


Efficient networking

Routing traffic through a hub gateway can lead to potential latency issues due to the longer paths and additional encryption & decryption steps. This also makes the hub gateway and its ISP line vulnerable to bottleneck issues, which can limit the total throughput and create a single point of failure, thereby affecting the overall network performance.

Forcepoint SD-WAN orchestrator simplifies the connectivity process between gateways by eliminating additional requirements and reducing delivery time and costs. By understanding the source address and port of the incoming authenticated connection, the orchestrator can create gateway connections without the need for direct connectivity. This connection is preserved and shared with other gateways in the network, allowing for connections to be opened to publicly visible IP addresses and ports. NAT-T UDP encapsulation is used from the first packet, even if the ISP blocks the connection. In the event of such filtering, the orchestrator will deliver a message so that the connection can be opened in both directions simultaneously, ensuring direct connections are established even in networks that only allow inbound connections and where both gateways are behind NAPT.



Most SD-WAN solutions can only scale up to a few hundred gateways. The reason for this limitation stems from either a limited number of available connections, even when using large and expensive hardware, or from the large number of tunnels that need to be in the configuration. Forcepoint SD-WAN orchestrator can manage full mesh connectivity between thousands of gateways enabling organizations to scale their operation to multiple locations.

Forcepoint SD-WAN orchestrator eliminates the need for individual IPsec configurations for each subnet combination, reducing the memory requirements in each gateway. This is especially important for SD-WAN solutions that rely on policy-based VPNs, where the number of configured IPsec tunnels can quickly add up. By eliminating the need for individual IPsec configurations, Forcepoint SD-WAN reduces hardware requirements and improves the overall ROI of SD-WAN.

When considering an SD-WAN that connects thousands of gateways together, it is typical to find some gateways in a centralized location while other gateways are in remote locations. To optimize hardware requirements at remote locations, Forcepoint SD-WAN orchestrator dynamically adds tunnels to the gateway configuration only when traffic is required between gateways. This reduces unnecessary tunnel overhead and helps organizations to scale in a cost-effective way, even when gateways are located in remote or hard-to-reach locations. By minimizing hardware needs and tunnel overhead, Forcepoint SD-WAN orchestrator enables organizations to deploy a large-scale SD-WAN with thousands of gateways, without compromising on efficiency or performance.



Configuring secure communication between gateways is a complex task that involves various parameters and configurations that must match on both ends of the connection. While central management can help simplify this process in large-scale SD-WAN environments, organizations with multiple administrators in different regions may face delays in making changes or updates. These delays can affect the overall efficiency of the network and increase the risk of errors or misconfigurations. To address this challenge, it is important to establish clear communication and collaboration channels between all stakeholders involved in the management and configuration of the SD-WAN environment. This can help ensure that changes are made in a timely and coordinated manner, minimizing the risk of delays or errors.

Forcepoint Secure SD-WAN simplifies the process of configuring secure communication between gateways by performing configuration updates on the orchestrator, which eliminates the need for manual updates on each gateway. This approach allows for central management even in large-scale SD-WAN environments, which reduces delays and inconsistencies that can arise from having different administrators making changes across regions. The orchestrator also includes gateway-specific information, such as authentication and gateway addresses, enabling gateways to own the context and ensuring proper communication.

The Forcepoint SD-WAN orchestrator allows for flexible routing configurations while ensuring that changes to gateway addresses are controlled and managed. This provides organizations with the ability to handle routing in different ways while preventing any accidental or intentional changes that could cause conflicts with IP addresses. Administrators can also specify allowed addresses, providing an additional layer of control and customization.

Critical information regarding gateway ISP connections is provided by the gateways themselves, which allows the Forcepoint SD-WAN orchestrator to monitor and manage the ISP connections in real time. This includes the connection's activity level, such as active or standby, as well as the ISP link's performance metrics such as latency, packet loss, and jitter. In addition, organizations can easily configure ISP link preferences by adding labels to the ISP connections, enabling the Forcepoint SD-WAN orchestrator to intelligently route traffic over the optimal link based on the application's requirements. For organizations that have traditional MPLS connections, these can also be added and labeled as well.

When a gateway connects to the Forcepoint SD-WAN orchestrator, it automatically downloads the necessary configurations and settings from the orchestrator. This allows for a seamless and quick deployment of gateways within the SD-WAN environment. Furthermore, as new gateways are added to the environment, they will automatically receive the necessary configurations and settings from the orchestrator, reducing the time and effort required for deployment. This also ensures consistency across the SD-WAN environment, reducing the risk of misconfigurations and other issues that can arise when settings are manually configured.

Forcepoint SD-WAN significantly increases productivity by automating the configuration and distribution of tunnels to the gateways. This eliminates the need for manual gateway administration and allows gateways to have different administrators and centralized management systems. In addition to creating tunnels automatically, Forcepoint SD-WAN also includes ISP load sharing functionality. As an application-aware solution, it intelligently selects the best ISP combination based on the requirements of each application, ensuring optimal performance and efficient use of available bandwidth.

In part 2, we tackle Security challenges when creating a large-scale SD-WAN. To learn more about Forcepoint Secure SD-WAN read the Solution Brief or watch the Secure SD-WAN product demo.


Tuomo Syvanne

Tuomo Syvanne is a Principal Network Engineer at Forcepoint.

Read more articles by Tuomo Syvanne

À propos de Forcepoint

Forcepoint est l’entreprise leader en cybersécurité pour la protection des utilisateurs et des données. Notre objectif est de protéger les entreprises tout en stimulant la transformation et la croissance numériques. Nos solutions s’adaptent en temps réel à la façon dont les personnes interagissent avec les données, et offrent un accès sécurisé tout en permettant aux employés de créer de la valeur.