Fortinet black logo

Administration Guide

SD-WAN zones

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as source and destination interfaces.

You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. The zones are used in firewall policies to allow for more granular control. SD-WAN members cannot be used directly in policies.

Static routes use the entire SD-WAN, not just individual zones or members.

Caution

In the CLI:

  • config system sdwan has replaced config system virtual-wan-link.
  • diagnose sys sdwan has replaced diagnose sys virtual-wan-link.
  • When configuring a static route, the sdwan variable has replaced the virtual-wan-link variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

To create an SD-WAN zone in the GUI:
  1. Go to Network > SD-WAN Zones.

    The default SD-WAN zone is virtual-wan-link.

  2. Click Create New > SD-WAN Zone.
  3. Enter a name for the new zone.
  4. If SD-WAN members have already been created, add the required members to the zone.

    Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.

  5. Click OK.

To create an SD-WAN interface member in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Click Create New > SD-WAN Member.
  3. Select an interface.

    The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.

  4. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

  5. Set the Gateway, Cost, and Status as required.
  6. Click OK.

    The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:
  1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
  2. Click Create New .
  3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.

  4. Click OK.
To view SD-WAN zones in a Security Fabric topology:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.

To configure SD-WAN in the CLI:
  1. Enable SD-WAN and create a zone:
    config system sdwan
        set status enable
        config zone
            edit "vpn-zone"
            next
        end
    end
  2. Configure SD-WAN members and add them to a zone:
    config system sdwan
        config members
            edit 1
                set interface "to_FG_B_root"
                set zone "vpn-zone"
            next
            edit 2
                set interface "GRE_1"
                set zone "vpn-zone"
            next
        end
    end
To create a policy using the SD-WAN zone in the CLI:
config firewall policy
    edit <policy_id>
        set name <policy_name>
        set srcintf internal
        set dstintf vpn-zone
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable
        set ssl-ssh-profile <profile_name>
        set av-profile <profile_name>
        set webfilter-profile <profile_name>			
        set dnsfilter-profile <profile_name>
        set emailfilter-profile <profile_name>
        set ips_sensor <sensor_name>
        set application-list <app_list>
        set voip-profile <profile_name>
        set logtraffic all
        set nat enable
        set status enable
    next
end

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as source and destination interfaces.

You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. The zones are used in firewall policies to allow for more granular control. SD-WAN members cannot be used directly in policies.

Static routes use the entire SD-WAN, not just individual zones or members.

Caution

In the CLI:

  • config system sdwan has replaced config system virtual-wan-link.
  • diagnose sys sdwan has replaced diagnose sys virtual-wan-link.
  • When configuring a static route, the sdwan variable has replaced the virtual-wan-link variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

To create an SD-WAN zone in the GUI:
  1. Go to Network > SD-WAN Zones.

    The default SD-WAN zone is virtual-wan-link.

  2. Click Create New > SD-WAN Zone.
  3. Enter a name for the new zone.
  4. If SD-WAN members have already been created, add the required members to the zone.

    Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.

  5. Click OK.

To create an SD-WAN interface member in the GUI:
  1. Go to Network > SD-WAN Zones.
  2. Click Create New > SD-WAN Member.
  3. Select an interface.

    The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.

  4. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

  5. Set the Gateway, Cost, and Status as required.
  6. Click OK.

    The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:
  1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
  2. Click Create New .
  3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.

  4. Click OK.
To view SD-WAN zones in a Security Fabric topology:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.

To configure SD-WAN in the CLI:
  1. Enable SD-WAN and create a zone:
    config system sdwan
        set status enable
        config zone
            edit "vpn-zone"
            next
        end
    end
  2. Configure SD-WAN members and add them to a zone:
    config system sdwan
        config members
            edit 1
                set interface "to_FG_B_root"
                set zone "vpn-zone"
            next
            edit 2
                set interface "GRE_1"
                set zone "vpn-zone"
            next
        end
    end
To create a policy using the SD-WAN zone in the CLI:
config firewall policy
    edit <policy_id>
        set name <policy_name>
        set srcintf internal
        set dstintf vpn-zone
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable
        set ssl-ssh-profile <profile_name>
        set av-profile <profile_name>
        set webfilter-profile <profile_name>			
        set dnsfilter-profile <profile_name>
        set emailfilter-profile <profile_name>
        set ips_sensor <sensor_name>
        set application-list <app_list>
        set voip-profile <profile_name>
        set logtraffic all
        set nat enable
        set status enable
    next
end