SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies, static routes, and SD-WAN rules.
You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. Zones are used in firewall policies, as source and destination interfaces, to allow for more granular control. SD-WAN members cannot be used directly in policies.
SD-WAN zones and members can both be used in IPv4 and IPv6 static routes to make route configuration more flexible, and in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules for more information.
In the CLI:
When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.
- Go to Network > SD-WAN and select the SD-WAN Zones tab.
The default SD-WAN zones are virtual-wan-link and SASE.
- Click Create New > SD-WAN Zone.
- Enter a name for the new zone, such as vpn-zone.
- If SD-WAN members have already been created, add the required members to the zone.
Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.
- Click OK.
- Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
- Select an interface.
The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.
- Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.
- Set the Gateway, Cost, and Status as required.
- Click OK.
The interface list at Network > Interfaces shows the SD-WAN zones and their members.
- Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
- Click Create New .
- Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.
- Click OK.
- Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.
- Enable SD-WAN and create a zone:
config system sdwan set status enable config zone edit "vpn-zone" next end end
- Configure SD-WAN members and add them to a zone:
config system sdwan config members edit 1 set interface "to_ISP2" set zone "vpn-zone" next edit 2 set interface "vpn-to-dc" set zone "vpn-zone" next end end
config firewall policy edit 1 set name sd-wan-1 set srcintf internal set dstintf vpn-zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL set utm-status enable set logtraffic all set nat enable set status enable next end