Fortinet Authorized · NSE7 Certified · Multi-Branch Experts

MPLS to FortiGate Secure SD-WAN
Migration for Indian Enterprises

Cut WAN costs by 40-60% while gaining built-in NGFW security at every branch. Ogma deploys FortiGate SD-WAN with ADVPN overlay, centralised FortiManager orchestration, and zero-touch provisioning.

Why Replace MPLS?

MPLS Is Costing You More Than You Think

MPLS was built for a world where all applications lived in the data centre. Today, 60-80% of branch traffic goes to the internet — SaaS apps, cloud workloads, video conferencing. Backhauling this traffic through your DC hub on expensive MPLS circuits makes no sense.

MPLS provisioning in India takes 45-90 days per site. Adding bandwidth requires a new circuit order. You are locked into long-term contracts with your ISP, paying premium rates for bandwidth that broadband delivers at a fraction of the cost.

And MPLS has no built-in security. You still need a separate branch firewall, VPN concentrator, and WAN optimiser. FortiGate SD-WAN consolidates all of these into a single appliance.

3-5x
MPLS vs Broadband Cost/Mbps
45-90
Days to Provision MPLS
40-60%
WAN Cost Savings with SD-WAN
1
Device Replaces FW + Router + WAN Opt

FortiGate Secure SD-WAN Architecture

ADVPN Overlay Network

Auto Discovery VPN creates dynamic spoke-to-spoke IPsec tunnels. Branch-to-branch traffic flows directly without hub hairpin. Reduces latency for inter-branch VoIP, video, and ERP by 40-60%.

Application-Aware Steering

Deep packet inspection identifies 3,000+ applications. SLA-based routing steers traffic over the best link — lowest latency for Teams/Zoom, highest bandwidth for bulk transfers, MPLS for ERP if needed.

Built-In NGFW Security

Every FortiGate running SD-WAN also runs full NGFW — IPS, application control, web filtering, anti-malware, SSL inspection, and sandboxing. No separate security device needed at the branch.

FortiGate Model Selection for SD-WAN Branches

We size based on throughput with SD-WAN + NGFW + IPS + SSL inspection enabled simultaneously.

Branch Size Users Recommended Model NGFW Throughput WAN Links
Small Branch / Retail Up to 30 FortiGate 40F 600 Mbps 2x WAN
Medium Branch 30 – 100 FortiGate 60F / 80F 1 – 1.4 Gbps 2x WAN + DMZ
Large Branch 100 – 300 FortiGate 100F / 100G 2 – 3.5 Gbps 4x WAN
Regional Hub 300 – 1,000 FortiGate 200G / 400G 8 – 18 Gbps Multiple 1G/10G
DC Hub / Concentrator Hub for all spokes FortiGate 600G / 900G 30+ Gbps Multiple 10G/25G

Centralised Management with FortiManager

Managing 50+ branch firewalls individually is unsustainable. FortiManager provides a single pane of glass for all SD-WAN policies, VPN overlays, firewall rules, and firmware updates across your entire network.

SD-WAN templates ensure every branch gets the same policy — application steering rules, SLA thresholds, link health checks, and failover behaviour. Change a template once and it deploys to all assigned branches in minutes.

FortiAnalyzer complements FortiManager with centralised logging, SD-WAN bandwidth usage reports, per-link SLA performance dashboards, and compliance audit trails. Together, they give you full visibility and control over your distributed network.

FortiManager SD-WAN Capabilities

  • Zero-touch provisioning for new branch devices
  • SD-WAN template-based policy deployment
  • VPN overlay topology management (hub-spoke, full-mesh)
  • Centralised firmware upgrade scheduling
  • Configuration versioning and rollback
  • REST API for automation and integration
  • Role-based access control for multi-team management
  • Compliance reporting and configuration audit

SD-WAN ROI — The Numbers Speak

Direct Cost Savings

  • WAN circuit costs: Replace expensive MPLS with broadband/DIA — save 40-60% per branch per month
  • Device consolidation: FortiGate replaces branch router + firewall + WAN optimiser — 1 device instead of 3
  • Provisioning speed: New site live in days (broadband) vs months (MPLS)
  • Bandwidth increase: Get 5-10x more bandwidth at the same or lower cost

Operational Benefits

  • Application performance: SLA-based steering ensures Teams/Zoom/ERP always get the best link
  • Resilience: Automatic failover between WAN links — no manual intervention
  • Security posture: Every branch gets enterprise-grade NGFW security, not just basic ACLs
  • Agility: Add bandwidth or links in hours, not weeks. ISP-agnostic — no vendor lock-in

Hybrid Coexistence — Migrate at Your Pace

1

Phase 1 — Overlay on MPLS

Deploy FortiGate at branches alongside existing MPLS. SD-WAN overlay runs over MPLS + internet. Traffic steering begins. MPLS remains the primary path while you validate SD-WAN performance.

2

Phase 2 — Shift Traffic

Gradually move application traffic to internet/DIA links via SD-WAN rules. Monitor SLA metrics per application. MPLS carries only latency-sensitive traffic (VoIP, ERP transactions). Broadband handles the rest.

3

Phase 3 — Decommission MPLS

Once SD-WAN performance is validated, decommission MPLS circuits branch by branch. Replace with DIA or upgraded broadband. Full savings realised. FortiGate becomes the sole WAN edge device.

Ogma's SD-WAN Deployment Process

1

WAN Assessment

Map all branch locations, current WAN circuits (type, bandwidth, cost, contract end dates), application traffic patterns, and performance baselines. Identify quick-win branches for pilot deployment.

2

Design & Sizing

Design SD-WAN overlay topology (hub-spoke, dual-hub, regional mesh). Select FortiGate model per branch tier. Define SD-WAN rules, SLA health checks, and application steering policies. Plan FortiManager and FortiAnalyzer deployment.

3

Pilot Deployment

Deploy FortiGate SD-WAN at 2-3 pilot branches. Validate ADVPN overlay, application steering, failover behaviour, and VoIP quality. Benchmark against MPLS performance. Tune SLA thresholds based on real traffic.

4

Staged Rollout

Roll out in waves — 10-20 branches per wave using FortiManager templates. Pre-stage devices in Gurugram, ship to sites, connect and auto-provision via zero-touch deployment. On-site time reduced to 2-4 hours per branch.

5

MPLS Decommission

Coordinate with ISP to terminate MPLS circuits as SD-WAN proves stable per branch. Upgrade broadband/DIA where needed. Ensure contract exit timing aligns with rollout schedule to avoid double-paying.

6

Optimise & Handover

Fine-tune SD-WAN rules based on production traffic. Configure FortiAnalyzer dashboards and alerts. Deliver runbook documentation. Train your network team on FortiManager operations. Transition to Ogma managed services or your in-house team.

Why Ogma for SD-WAN Migration

NSE7 Certified Engineers

Our team holds Fortinet NSE7 (Enterprise Firewall + SD-WAN) certifications. We design and deploy FortiGate SD-WAN networks daily — not as a side project.

Authorised Fortinet Partner

Ogma is an authorised Fortinet reseller in India. We provide competitive pricing on FortiGate hardware, FortiGuard subscriptions, FortiManager, and FortiAnalyzer. Single vendor for procurement + deployment + support.

Pan-India Deployment

We pre-stage FortiGate devices in our Gurugram facility and ship pan-India. Remote zero-touch provisioning for most branches. On-site deployment for hubs and complex sites across Delhi NCR, Mumbai, Bangalore, and other metros.

Frequently Asked Questions

Most enterprises see 40-60% reduction in WAN costs. MPLS circuits in India cost 3-5x more per Mbps than broadband or DIA (Direct Internet Access). SD-WAN lets you use multiple cheap broadband links with intelligent path selection, reserving MPLS only for latency-sensitive traffic. The FortiGate appliance also replaces your branch firewall, eliminating a separate device cost.

No. Most enterprises run a hybrid WAN during transition — keeping MPLS for critical applications (voice, ERP) while offloading internet traffic and non-critical apps to broadband/DIA via SD-WAN. You can migrate branches gradually and decommission MPLS circuits only when you are comfortable with SD-WAN performance. FortiGate SD-WAN supports hybrid overlay with MPLS and internet underlay simultaneously.

For small branches (up to 50 users): FortiGate 40F or 60F. For medium branches (50-200 users): FortiGate 80F or 100F. For large branches or regional hubs (200-500 users): FortiGate 100G or 200G (G-series with SP5 ASIC). For data centre hubs: FortiGate 600G or higher. We size based on throughput requirements with SD-WAN + NGFW + IPS enabled simultaneously.

FortiGate identifies applications using deep packet inspection (DPI) and routes them over the best available WAN link based on SLA parameters you define — latency, jitter, packet loss, and bandwidth. For example, Microsoft Teams traffic can be steered over the lowest-latency link, while bulk file transfers use the highest-bandwidth link. Over 3,000 applications are identified out of the box via FortiGuard ISDB.

ADVPN (Auto Discovery VPN) creates dynamic spoke-to-spoke IPsec tunnels on demand. Without ADVPN, all branch-to-branch traffic must route through the hub — adding latency and consuming hub bandwidth. With ADVPN, if Branch A needs to communicate with Branch B, a direct tunnel is created automatically. This dramatically reduces latency for inter-branch applications like VoIP, video conferencing, and shared ERP access.

FortiManager provides centralised SD-WAN orchestration. All branch FortiGate devices are managed from a single console — SD-WAN rules, firewall policies, VPN overlays, and firmware updates are pushed centrally. FortiManager templates ensure consistent configuration across all branches. FortiAnalyzer provides centralised logging and SD-WAN health monitoring with per-link SLA dashboards.

Yes. FortiGate SD-WAN is ISP-agnostic. It works with any combination of MPLS, broadband, DIA, LTE/5G, and even satellite links. You can mix ISPs per branch — for example, Jio Fiber + Airtel broadband + BSNL MPLS. The SD-WAN engine performs health checks on each link and steers traffic based on real-time performance, not just static routes.

Pilot (2-3 branches): 2-3 weeks including assessment, hardware staging, and testing. Phase 1 (10-20 branches): 4-6 weeks with FortiManager templates. Full rollout (50+ branches): 8-12 weeks with parallel deployment teams. We pre-stage and pre-configure FortiGate devices in our Gurugram facility before shipping to branch sites, reducing on-site deployment time to 2-4 hours per branch.

Ready to Replace MPLS with SD-WAN?

Get a free WAN assessment. We map your branches, calculate savings, and recommend the right FortiGate model for each site — no obligation.

FortiGate Solutions