SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as source and destination interfaces.
You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. The zones are used in firewall policies to allow for more granular control. SD-WAN members cannot be used directly in policies.
Static routes use the entire SD-WAN, not just individual zones or members.
In the CLI:
When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.
- Go to Network > SD-WAN and select the SD-WAN Zones tab.
The default SD-WAN zone is virtual-wan-link.
- Click Create New > SD-WAN Zone.
- Enter a name for the new zone.
- If SD-WAN members have already been created, add the required members to the zone.
Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.
- Click OK.
- Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
- Select an interface.
The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.
- Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.
- Set the Gateway, Cost, and Status as required.
- Click OK.
The interface list at Network > Interfaces shows the SD-WAN zones and their members.
- Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
- Click Create New .
- Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.
- Click OK.
- Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.
- Enable SD-WAN and create a zone:
config system sdwan set status enable config zone edit "vpn-zone" next end end
- Configure SD-WAN members and add them to a zone:
config system sdwan config members edit 1 set interface "to_FG_B_root" set zone "vpn-zone" next edit 2 set interface "GRE_1" set zone "vpn-zone" next end end
config firewall policy edit <policy_id> set name <policy_name> set srcintf internal set dstintf vpn-zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL set utm-status enable set ssl-ssh-profile <profile_name> set av-profile <profile_name> set webfilter-profile <profile_name> set dnsfilter-profile <profile_name> set emailfilter-profile <profile_name> set ips_sensor <sensor_name> set application-list <app_list> set voip-profile <profile_name> set logtraffic all set nat enable set status enable next end