Fortinet black logo

Administration Guide

SD-WAN zones

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies, static routes, and SD-WAN rules.

You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. Zones are used in firewall policies, as source and destination interfaces, to allow for more granular control. SD-WAN members cannot be used directly in policies.

SD-WAN zones and members can both be used in IPv4 and IPv6 static routes to make route configuration more flexible, and in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules for more information.

Caution

In the CLI:

  • config system sdwan has replaced config system virtual-wan-link.
  • diagnose sys sdwan has replaced diagnose sys virtual-wan-link.
  • When configuring a static route, the sdwan-zone variable has replaced the sdwan variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

To create an SD-WAN zone in the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    The default SD-WAN zones are virtual-wan-link and SASE.

  2. Click Create New > SD-WAN Zone.
  3. Enter a name for the new zone, such as vpn-zone.
  4. If SD-WAN members have already been created, add the required members to the zone.

    Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.

  5. Click OK.

To create an SD-WAN interface member in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
  2. Select an interface.

    The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.

  3. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

  4. Set the Gateway, Cost, and Status as required.
  5. Click OK.

    The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:
  1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
  2. Click Create New .
  3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.

  4. Click OK.
To view SD-WAN zones in a Security Fabric topology:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.

To configure SD-WAN in the CLI:
  1. Enable SD-WAN and create a zone:
    config system sdwan
        set status enable
        config zone
            edit "vpn-zone"
            next
        end
    end
  2. Configure SD-WAN members and add them to a zone:
    config system sdwan
        config members
            edit 1
                set interface "to_ISP2"
                set zone "vpn-zone"
            next
            edit 2
                set interface "vpn-to-dc"
                set zone "vpn-zone"
            next
        end
    end
To create a policy using the SD-WAN zone in the CLI:
config firewall policy
    edit 1
        set name sd-wan-1
        set srcintf internal
        set dstintf vpn-zone
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable
        set logtraffic all
        set nat enable
        set status enable
    next
end

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies, static routes, and SD-WAN rules.

You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. Zones are used in firewall policies, as source and destination interfaces, to allow for more granular control. SD-WAN members cannot be used directly in policies.

SD-WAN zones and members can both be used in IPv4 and IPv6 static routes to make route configuration more flexible, and in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules for more information.

Caution

In the CLI:

  • config system sdwan has replaced config system virtual-wan-link.
  • diagnose sys sdwan has replaced diagnose sys virtual-wan-link.
  • When configuring a static route, the sdwan-zone variable has replaced the sdwan variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

To create an SD-WAN zone in the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

    The default SD-WAN zones are virtual-wan-link and SASE.

  2. Click Create New > SD-WAN Zone.
  3. Enter a name for the new zone, such as vpn-zone.
  4. If SD-WAN members have already been created, add the required members to the zone.

    Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the member.

  5. Click OK.

To create an SD-WAN interface member in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
  2. Select an interface.

    The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN member.

  3. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

  4. Set the Gateway, Cost, and Status as required.
  5. Click OK.

    The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:
  1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
  2. Click Create New .
  3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing interface.

  4. Click OK.
To view SD-WAN zones in a Security Fabric topology:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their members are shown.

To configure SD-WAN in the CLI:
  1. Enable SD-WAN and create a zone:
    config system sdwan
        set status enable
        config zone
            edit "vpn-zone"
            next
        end
    end
  2. Configure SD-WAN members and add them to a zone:
    config system sdwan
        config members
            edit 1
                set interface "to_ISP2"
                set zone "vpn-zone"
            next
            edit 2
                set interface "vpn-to-dc"
                set zone "vpn-zone"
            next
        end
    end
To create a policy using the SD-WAN zone in the CLI:
config firewall policy
    edit 1
        set name sd-wan-1
        set srcintf internal
        set dstintf vpn-zone
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set utm-status enable
        set logtraffic all
        set nat enable
        set status enable
    next
end