SD-WAN upgrade changes
SD-WAN member interfaces are grouped into SD-WAN zones in 6.4.1. These zones can be used in firewall policies. Individual SD-WAN members can no longer be used directly in policies.
Previously, SD-WAN members could be used directly in firewall policies. Upon upgrading, an SD-WAN zone, upg-zone-<interface-name>
, will be created for each member that is defined in a firewall policy.
FortiOS 6.4.1 has the following CLI changes:
-
Replaced
config system virtual-wan-link
withconfig system sdwan
. - Renamed
virtual-wan-link
instatic route
tosdwan
.config router static edit 1 set sdwan {enable | disable} ... next end
- Added new table,
system.sdwan.zone
. Every SD-WAN member must be assigned to a zone. The default zone isvirtual-wan-link
.config system sdwan config zone edit "vpn-zone" next edit "virtual-wan-link" next end end
config system sdwan config members edit 1 set interface "port1" set zone "vpn-zone" next end end
-
Replaced
diagnose sys virtual-wan-link
withdiagnose sys sdwan
. - Upgrading will create individual SD-WAN zones for each SD-WAN member used in policies.
- When using SD-WAN zones in firewall policies, for
firewall.policy
,firewall.policy6
,firewall.proxy-policy
, andfirewall.security-policy
, the SD-WAN interfaces are changed to the zone name. Only SD-WAN zones can be used assrcintf
anddstintf
. Member interfaces of SD-WAN cannot be used directly.config firewall policy edit 1 set dstintf virtual-wan-link vpn-zone ... next end