SD-WAN upgrade changes

SD-WAN member interfaces are grouped into SD-WAN zones in 6.4.1. These zones can be used in firewall policies. Individual SD-WAN members can no longer be used directly in policies.

Previously, SD-WAN members could be used directly in firewall policies. Upon upgrading, an SD-WAN zone, upg-zone-<interface-name>, will be created for each member that is defined in a firewall policy.

FortiOS 6.4.1 has the following CLI changes:

• Replaced config system virtual-wan-link with config system sdwan.

• Renamed virtual-wan-link in static route to sdwan.

  config router static
      edit 1
          set sdwan {enable | disable}
          ...
      next
  end

• Added new table, system.sdwan.zone. Every SD-WAN member must be assigned to a zone. The default zone is virtual-wan-link.

  config system sdwan
      config zone
          edit "vpn-zone"
          next
          edit "virtual-wan-link"
          next
      end
  end
  

  config system sdwan
      config members
          edit 1
              set interface "port1"
              set zone "vpn-zone"
          next
      end
  end

• Replaced diagnose sys virtual-wan-link with diagnose sys sdwan.

• Upgrading will create individual SD-WAN zones for each SD-WAN member used in policies.
• When using SD-WAN zones in firewall policies, for firewall.policy, firewall.policy6, firewall.proxy-policy, and firewall.security-policy, the SD-WAN interfaces are changed to the zone name. Only SD-WAN zones can be used as srcintf and dstintf. Member interfaces of SD-WAN cannot be used directly.

  config firewall policy 
      edit 1
          set dstintf virtual-wan-link vpn-zone 
          ...
      next
  end