Fortinet black logo

Administration Guide

Configuring firewall policies for SD-WAN

Configuring firewall policies for SD-WAN

After you create an SD-WAN interface, FortiGate adds a virtual interface for SD-WAN to the interface list that can be used to create firewall policies.

You must configure a policy that allows traffic from your organization's internal network to the SD-WAN interface (virtual-wan-link in the CLI). You do not need to configure policies for each individual SD-WAN member interface because policies configured with the SD-WAN interface apply to all SD-WAN interface members.

To create a firewall policy for SD-WAN:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New. The New Policy page opens.
  3. Configure the following:

    Name

    Enter a name for the policy.

    Incoming Interface

    internal

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Firewall / Network Options

    Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.

    Security Profiles

    Apply profiles as required.

    Logging Options

    Enable Log Allowed Traffic and select All Sessions. This allows you to verify results later.

  4. Enable the policy, then click OK.

Next: Link monitoring and failover

Configuring firewall policies for SD-WAN

After you create an SD-WAN interface, FortiGate adds a virtual interface for SD-WAN to the interface list that can be used to create firewall policies.

You must configure a policy that allows traffic from your organization's internal network to the SD-WAN interface (virtual-wan-link in the CLI). You do not need to configure policies for each individual SD-WAN member interface because policies configured with the SD-WAN interface apply to all SD-WAN interface members.

To create a firewall policy for SD-WAN:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New. The New Policy page opens.
  3. Configure the following:

    Name

    Enter a name for the policy.

    Incoming Interface

    internal

    Outgoing Interface

    SD-WAN

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Firewall / Network Options

    Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.

    Security Profiles

    Apply profiles as required.

    Logging Options

    Enable Log Allowed Traffic and select All Sessions. This allows you to verify results later.

  4. Enable the policy, then click OK.

Next: Link monitoring and failover