Use MAC addresses in SD-WAN rules and policy routes

You can use MAC addresses as the source in SD-WAN rules and policy routes.

The FABRIC_DEVICE address object (a dynamic object that includes the IPs of Security Fabric devices) can be used as a source or destination in SD-WAN rules and policy routes.

The diagnose ip proute match command accepts either the IP or MAC address format for the source:

diagnose ip proute match <destination> <source> <interface> <protocol> <port>

To configure a MAC address as a source for SD-WAN and a policy route:
  1. Configure the MAC address:
    config firewall address
        edit "mac-add"
            set type mac
            set macaddr 70:4c:a5:86:de:56
  2. Configure the policy route:
    config router policy
        edit 3
            set srcaddr "mac-add"
            set gateway
            set output-device ha
  3. Configure the SD-WAN rule:
    config system sdwan
        config service
            edit 1
                set dst "all"
                set src "mac-add"
                set priority-members 1
            edit 2
                set dst "FABRIC_DEVICE"
                set priority-members 2
To verify the policy route matching for a MAC address:
# diagnose ip proute match 70:4c:a5:86:de:56 port3 22 6
dst= src= smac=70:4c:a5:86:de:56 iif=11 protocol=22 dport=6
id=00000003 type=Policy Route