SD-WAN upgrade changes
SD-WAN member interfaces are grouped into SD-WAN zones in 6.4.1. These zones can be used in firewall policies. Individual SD-WAN members can no longer be used directly in policies.
Previously, SD-WAN members could be used directly in firewall policies. Upon upgrading, an SD-WAN zone, upg-zone-<interface-name>, will be created for each member that is defined in a firewall policy.
FortiOS 6.4.1 has the following CLI changes:
-
Replaced
config system virtual-wan-linkwithconfig system sdwan. - Renamed
virtual-wan-linkinstatic routetosdwan.config router static edit 1 set sdwan {enable | disable} ... next end - Added new table,
system.sdwan.zone. Every SD-WAN member must be assigned to a zone. The default zone isvirtual-wan-link.config system sdwan config zone edit "vpn-zone" next edit "virtual-wan-link" next end endconfig system sdwan config members edit 1 set interface "port1" set zone "vpn-zone" next end end -
Replaced
diagnose sys virtual-wan-linkwithdiagnose sys sdwan. - Upgrading will create individual SD-WAN zones for each SD-WAN member used in policies.
- When using SD-WAN zones in firewall policies, for
firewall.policy,firewall.policy6,firewall.proxy-policy, andfirewall.security-policy, the SD-WAN interfaces are changed to the zone name. Only SD-WAN zones can be used assrcintfanddstintf. Member interfaces of SD-WAN cannot be used directly.config firewall policy edit 1 set dstintf virtual-wan-link vpn-zone ... next end