Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Specify an SD-WAN zone in static routes and SD-WAN rules 7.0.1

SD-WAN zones can be used in IPv4 and IPv6 static routes, and in SD-WAN service rules. This makes route configuration more flexible, and simplifies SD-WAN rule configuration. The sdwan-zone command replaces the sdwan {enable | disable} command.

A new predefined SD-WAN zone called SASE is also available.

To configure an SD-WAN zone in a static route:
config router {static | static6}
    edit 1
        set sdwan-zone <zone> <zone> ...
    next
end
To configure an SD-WAN zone in an SD-WAN rule:
config system sdwan
    config service
        edit 1
            set priority-zone <zone>
        next
    end
end

Examples

In these two examples, three SD-WAN members are created. Two members, port13 and port15, are in the default zone (virtual-wan-link), and the third member, to_FG_B_root, is in the SASE zone.

Example 1

In this example:

  • Two service rules are created. Rule 1 uses the virtual-wan-link zone, and rule 2 uses the SASE zone.

  • Two IPv4 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.

To configure the SD-WAN:
  1. Assign port13 and port15 to the virtual-wan-link zone and to_FG_B_root to the SASE zone:

    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port13"
                set zone "virtual-wan-link"
                set gateway 10.100.1.1
            next
            edit 2
                set interface "port15"
                set zone "virtual-wan-link"
                set gateway 10.100.1.5
            next
            edit 3
                set interface "to_FG_B_root"
                set zone "SASE"
            next
        end
    end
  2. Create two service rules, one for each SD-WAN zone:

    config system sdwan
        config service
            edit 1
                set dst "10.100.20.0"
                set priority-zone "virtual-wan-link"
            next
            edit 2
                set internet-service enable
                set internet-service-name "Fortinet-FortiGuard"
                set priority-zone "SASE"
            next
        end
    end
  3. Configure static routes for each of the SD-WAN zones:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
        edit 2
            set dst 172.16.109.0 255.255.255.0
            set distance 1
            set sdwan-zone "SASE"
        next
    end
To verify the results:
  1. Check the service rule 1 diagnostics:

    # diagnose sys sdwan service 1
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Members(2):
        1: Seq_num(1 port13), alive, selected
        2: Seq_num(2 port15), alive, selected
      Dst address(1):
            10.100.20.0-10.100.20.255

    Both members of the virtual-wan-link zone are selected. In manual mode, the interface members are selected based on the member configuration order. In SLA and priority mode, the order depends on the link status. If all of the link statuses pass, then the members are selected based on the member configuration order.

  2. Check the service rule 2 diagnostics:

    # diagnose sys sdwan service 2
    
    Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Members(1):
        1: Seq_num(3 to_FG_B_root), alive, selected
      Internet Service(1): Fortinet-FortiGuard(1245324,0,0,0)

    The member of the SASE zone is selected.

  3. Review the routing table:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 10.100.1.1, port13
                      [1/0] via 10.100.1.5, port15
    S       172.16.109.0/24 [1/0] via 172.16.206.2, to_FG_B_root

    The default gateway has the members from the virtual-wan-link zone, and the route to 172.16.10.9.0/24 has the single member from the SASE zone.

Example 2

In this example, two IPv6 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.

To configure the SD-WAN:
  1. Configure port13 and port15 with IPv6 addresses and assign them to the virtual-wan-link zone, and assign to_FG_B_root to the SASE zone:

    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port13"
                set zone "virtual-wan-link"
                set gateway6 2004:10:100:1::1
                set source6 2004:10:100:1::2
            next
            edit 2
                set interface "port15"
                set zone "virtual-wan-link"
                set gateway6 2004:10:100:1::5
                set source6 2004:10:100:1::6
            next
            edit 3
                set interface "to_FG_B_root"
                set zone "SASE"
            next
        end
    end
  2. Configure IPv6 static routes for each of the SD-WAN zones:

    config router static6
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
        edit 2
            set dst 2003:172:16:109::/64
            set distance 1
            set sdwan-zone "SASE"
        next
    end
To verify the results:
  1. Review the routing table:

    # get router info6 routing-table static
    Routing table for VRF=0
    S*      ::/0 [1/0] via 2004:10:100:1::1, port13, 00:20:51, [1024/0]
                 [1/0] via 2004:10:100:1::5, port15, 00:20:51, [1024/0]
    S       2003:172:16:109::/64 [1/0] via ::ac10:ce02, to_FG_B_root, 00:20:51, [1024/0]
    S       2003:172:16:209::/64 [5/0] via ::ac10:ce02, to_FG_B_root, 14:40:14, [1024/0]

    The IPv6 default route includes the members from the virtual-wan-link zone, and the route to 2003:172:16:109::/64 has the single member from the SASE zone.

Specify an SD-WAN zone in static routes and SD-WAN rules 7.0.1

SD-WAN zones can be used in IPv4 and IPv6 static routes, and in SD-WAN service rules. This makes route configuration more flexible, and simplifies SD-WAN rule configuration. The sdwan-zone command replaces the sdwan {enable | disable} command.

A new predefined SD-WAN zone called SASE is also available.

To configure an SD-WAN zone in a static route:
config router {static | static6}
    edit 1
        set sdwan-zone <zone> <zone> ...
    next
end
To configure an SD-WAN zone in an SD-WAN rule:
config system sdwan
    config service
        edit 1
            set priority-zone <zone>
        next
    end
end

Examples

In these two examples, three SD-WAN members are created. Two members, port13 and port15, are in the default zone (virtual-wan-link), and the third member, to_FG_B_root, is in the SASE zone.

Example 1

In this example:

  • Two service rules are created. Rule 1 uses the virtual-wan-link zone, and rule 2 uses the SASE zone.

  • Two IPv4 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.

To configure the SD-WAN:
  1. Assign port13 and port15 to the virtual-wan-link zone and to_FG_B_root to the SASE zone:

    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port13"
                set zone "virtual-wan-link"
                set gateway 10.100.1.1
            next
            edit 2
                set interface "port15"
                set zone "virtual-wan-link"
                set gateway 10.100.1.5
            next
            edit 3
                set interface "to_FG_B_root"
                set zone "SASE"
            next
        end
    end
  2. Create two service rules, one for each SD-WAN zone:

    config system sdwan
        config service
            edit 1
                set dst "10.100.20.0"
                set priority-zone "virtual-wan-link"
            next
            edit 2
                set internet-service enable
                set internet-service-name "Fortinet-FortiGuard"
                set priority-zone "SASE"
            next
        end
    end
  3. Configure static routes for each of the SD-WAN zones:

    config router static
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
        edit 2
            set dst 172.16.109.0 255.255.255.0
            set distance 1
            set sdwan-zone "SASE"
        next
    end
To verify the results:
  1. Check the service rule 1 diagnostics:

    # diagnose sys sdwan service 1
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Members(2):
        1: Seq_num(1 port13), alive, selected
        2: Seq_num(2 port15), alive, selected
      Dst address(1):
            10.100.20.0-10.100.20.255

    Both members of the virtual-wan-link zone are selected. In manual mode, the interface members are selected based on the member configuration order. In SLA and priority mode, the order depends on the link status. If all of the link statuses pass, then the members are selected based on the member configuration order.

  2. Check the service rule 2 diagnostics:

    # diagnose sys sdwan service 2
    
    Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Members(1):
        1: Seq_num(3 to_FG_B_root), alive, selected
      Internet Service(1): Fortinet-FortiGuard(1245324,0,0,0)

    The member of the SASE zone is selected.

  3. Review the routing table:

    # get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [1/0] via 10.100.1.1, port13
                      [1/0] via 10.100.1.5, port15
    S       172.16.109.0/24 [1/0] via 172.16.206.2, to_FG_B_root

    The default gateway has the members from the virtual-wan-link zone, and the route to 172.16.10.9.0/24 has the single member from the SASE zone.

Example 2

In this example, two IPv6 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.

To configure the SD-WAN:
  1. Configure port13 and port15 with IPv6 addresses and assign them to the virtual-wan-link zone, and assign to_FG_B_root to the SASE zone:

    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port13"
                set zone "virtual-wan-link"
                set gateway6 2004:10:100:1::1
                set source6 2004:10:100:1::2
            next
            edit 2
                set interface "port15"
                set zone "virtual-wan-link"
                set gateway6 2004:10:100:1::5
                set source6 2004:10:100:1::6
            next
            edit 3
                set interface "to_FG_B_root"
                set zone "SASE"
            next
        end
    end
  2. Configure IPv6 static routes for each of the SD-WAN zones:

    config router static6
        edit 1
            set distance 1
            set sdwan-zone "virtual-wan-link"
        next
        edit 2
            set dst 2003:172:16:109::/64
            set distance 1
            set sdwan-zone "SASE"
        next
    end
To verify the results:
  1. Review the routing table:

    # get router info6 routing-table static
    Routing table for VRF=0
    S*      ::/0 [1/0] via 2004:10:100:1::1, port13, 00:20:51, [1024/0]
                 [1/0] via 2004:10:100:1::5, port15, 00:20:51, [1024/0]
    S       2003:172:16:109::/64 [1/0] via ::ac10:ce02, to_FG_B_root, 00:20:51, [1024/0]
    S       2003:172:16:209::/64 [5/0] via ::ac10:ce02, to_FG_B_root, 14:40:14, [1024/0]

    The IPv6 default route includes the members from the virtual-wan-link zone, and the route to 2003:172:16:109::/64 has the single member from the SASE zone.