Specify SD-WAN zones in some policies 7.6.1

SD-WAN zones can be specified as interfaces in Local In policies, DoS policies, Multicast policies, TTL policies, and central SNAT maps. This simplifies policy management and improves operational efficiency.

config firewall local-in-policy
    edit <id>
        set intf <SD-WAN zone>            
    next
end
config firewall DoS-policy
    edit <id>
        set interface <SD-WAN zone>   
    next
end
config firewall interface-policy
    edit <id>
        set interface <SD-WAN zone>   
    next
end
config firewall multicast-policy
    edit <id>
        set srcintf <SD-WAN zone>        
        set dstintf <SD-WAN zone>        
    next
end
config firewall ttl-policy
    edit <id>
        set srcintf <SD-WAN zone>        
    next
end
config firewall central-snat-map
    edit <id>
        set srcintf <SD-WAN zone>        
        set dstintf <SD-WAN zone>        
    next
end

Example

To configure a use an SD-WAN zone as an interface in some policies:

1. Configure an SD-WAN zone:

   config system sdwan
       set status enable
       config zone
           edit "virtual-wan-link"
           next
           edit "test"
           next
       end
       config members
           edit 1
               set interface "agg1"
               set zone "test"
               set gateway 172.16.203.2
           next
           edit 2
               set interface "vlan100"
               set zone "test"
               set gateway 172.16.206.2
           next
       end
   end

2. Use that SD-WAN zone as an interface in policies:

   config firewall local-in-policy
       edit 1
           set intf "test"
           set srcaddr "172.16.205.0"
           set dstaddr "all"
           set service "ALL"
           set schedule "always"
       next
   end

   config firewall DoS-policy
       edit 1
           set interface "test"
           set srcaddr "172.16.205.0"
           set dstaddr "all"
           set service "ALL"
           config anomaly
               edit "tcp_syn_flood"
                   set threshold 2000
               next
               edit "tcp_port_scan"
                   set threshold 1000
               next
               edit "tcp_src_session"
                   set threshold 5000
               next
               ...
           end          
       next
   end

   config firewall interface-policy
       edit 1
           set interface "test"
           set srcaddr "172.16.205.0"
           set dstaddr "all"
           set service "ALL"
       next
   end

   config firewall multicast-policy
       edit 1
           set srcintf "test"
           set dstintf "any"
           set srcaddr "172.16.205.0"
           set dstaddr "all"
       next
   end

   config firewall ttl-policy
       edit 1
           set srcintf "test"
           set srcaddr "172.16.205.0"
           set service "ALL"
           set schedule "always"
           set ttl 5
       next
   end

   config firewall central-snat-map
       edit 1
           set srcintf any
           set dstintf "test"
           set orig-addr "all" 
           set dst-addr "172.16.205.0"
       next
   end