Specify an SD-WAN zone in static routes and SD-WAN rules
SD-WAN zones can be used in IPv4 and IPv6 static routes, and in SD-WAN service rules. This makes route configuration more flexible, and simplifies SD-WAN rule configuration.
To configure an SD-WAN zone in a static route in the GUI:
-
Go to Network > Static Routes
-
Edit an existing static route, or click Create New to create a new route.
-
Set Interface to one or more SD-WAN zones.
-
Configure the remaining settings are required.
-
Click OK.
To configure an SD-WAN zone in a static route in the CLI:
config router {static | static6} edit 1 set sdwan-zone <zone> <zone> ... next end
To configure an SD-WAN zone in an SD-WAN rule in the GUI:
-
Go to Network > SD-WAN and select the SD-WAN Rules tab
-
Edit an existing rule, or click Create New to create a new rule.
-
In the Zone preference field add one or more SD-WAN zones.
-
Configure the remaining settings are needed.
-
Click OK.
To configure an SD-WAN zone in an SD-WAN rule in the CLI:
config system sdwan config service edit 1 set priority-zone <zone> next end end
Examples
In these two examples, three SD-WAN members are created. Two members, port13 and port15, are in the default zone (virtual-wan-link), and the third member, to_FG_B_root, is in the SASE zone.
Example 1
In this example:
-
Two service rules are created. Rule 1 uses the virtual-wan-link zone, and rule 2 uses the SASE zone.
-
Two IPv4 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.
To configure the SD-WAN:
-
Assign port13 and port15 to the virtual-wan-link zone and to_FG_B_root to the SASE zone:
config system sdwan set status enable config members edit 1 set interface "port13" set zone "virtual-wan-link" set gateway 10.100.1.1 next edit 2 set interface "port15" set zone "virtual-wan-link" set gateway 10.100.1.5 next edit 3 set interface "to_FG_B_root" set zone "SASE" next end end
-
Create two service rules, one for each SD-WAN zone:
config system sdwan config service edit 1 set dst "10.100.20.0" set priority-zone "virtual-wan-link" next edit 2 set internet-service enable set internet-service-name "Fortinet-FortiGuard" set priority-zone "SASE" next end end
-
Configure static routes for each of the SD-WAN zones:
config router static edit 1 set distance 1 set sdwan-zone "virtual-wan-link" next edit 2 set dst 172.16.109.0 255.255.255.0 set distance 1 set sdwan-zone "SASE" next end
To verify the results:
-
Check the service rule 1 diagnostics:
# diagnose sys sdwan service4 1 Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(2): 1: Seq_num(1 port13), alive, selected 2: Seq_num(2 port15), alive, selected Dst address(1): 10.100.20.0-10.100.20.255
Both members of the virtual-wan-link zone are selected. In manual mode, the interface members are selected based on the member configuration order. In SLA and priority mode, the order depends on the link status. If all of the link statuses pass, then the members are selected based on the member configuration order.
-
Check the service rule 2 diagnostics:
# diagnose sys sdwan service4 2 Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(1): 1: Seq_num(3 to_FG_B_root), alive, selected Internet Service(1): Fortinet-FortiGuard(1245324,0,0,0)
The member of the SASE zone is selected.
-
Review the routing table:
# get router info routing-table static Routing table for VRF=0 S* 0.0.0.0/0 [1/0] via 10.100.1.1, port13 [1/0] via 10.100.1.5, port15 S 172.16.109.0/24 [1/0] via 172.16.206.2, to_FG_B_root
The default gateway has the members from the virtual-wan-link zone, and the route to 172.16.10.9.0/24 has the single member from the SASE zone.
Example 2
In this example, two IPv6 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the SASE zone.
To configure the SD-WAN:
-
Configure port13 and port15 with IPv6 addresses and assign them to the virtual-wan-link zone, and assign to_FG_B_root to the SASE zone:
config system sdwan set status enable config members edit 1 set interface "port13" set zone "virtual-wan-link" set gateway6 2004:10:100:1::1 set source6 2004:10:100:1::2 next edit 2 set interface "port15" set zone "virtual-wan-link" set gateway6 2004:10:100:1::5 set source6 2004:10:100:1::6 next edit 3 set interface "to_FG_B_root" set zone "SASE" next end end
-
Configure IPv6 static routes for each of the SD-WAN zones:
config router static6 edit 1 set distance 1 set sdwan-zone "virtual-wan-link" next edit 2 set dst 2003:172:16:109::/64 set distance 1 set sdwan-zone "SASE" next end
To verify the results:
-
Review the routing table:
# get router info6 routing-table static Routing table for VRF=0 S* ::/0 [1/0] via 2004:10:100:1::1, port13, 00:20:51, [1024/0] [1/0] via 2004:10:100:1::5, port15, 00:20:51, [1024/0] S 2003:172:16:109::/64 [1/0] via ::ac10:ce02, to_FG_B_root, 00:20:51, [1024/0] S 2003:172:16:209::/64 [5/0] via ::ac10:ce02, to_FG_B_root, 14:40:14, [1024/0]
The IPv6 default route includes the members from the virtual-wan-link zone, and the route to 2003:172:16:109::/64 has the single member from the SASE zone.