Fortinet black logo

Administration Guide

SD-WAN members and zones

SD-WAN members and zones

SD-WAN bundles interfaces together into zones. Interfaces are first configured as SD-WAN members. This does not change the interface, it just allows SD-WAN to reference the interface as a member. SD-WAN member interfaces can be any interface supported by FortiGates, such as physical ports, VLAN interfaces, LAGs, IPsec tunnels, GRE tunnels, IPIP tunnels, and FortiExtender interfaces. Once SD-WAN members are configured, they can be assigned to a zone. Zones are used in policies as source and destination interfaces, in static routes, and in SD-WAN rules.

Multiple zones can be used to group SD-WAN interfaces for logical scenarios, such as overlay and underlay interfaces. Using multiple zones in policies allows for more granular control over functions like resource access and UTM access. Individual SD-WAN member interfaces cannot be used directly in policies, but they can be moved between SD-WAN zones at any time. If a member interface requires a special SD-WAN consideration, it can be put into an SD-WAN zone by itself.

SD-WAN zones and members can be used in IPv4 and IPv6 static routes to make route configurations more flexible. SD-WAN zones and members can be used in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules for more information.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

Topology

This topology is used in the following procedures:

Configuring SD-WAN member interfaces

When configuring SD-WAN zones and members, it does not matter what order they are defined. In this example, the members are defined first, and they will be placed temporarily in the default zone called virtual-wan-link. A zone must be defined when creating a member, and the overlay and underlay zones will created in the next procedure. It is standard practice to create SD-WAN members for each underlay and overlay interface, as most SD-WAN implementations apply SD-WAN intelligence to both underlay and overlay networks.

The following options can be configured for SD-WAN members:

GUI option

CLI option

Description

Interface

interface

Select the interface to use as an SD-WAN member. Optionally, select None in the GUI to not use an interface yet.

SD-WAN Zone

zone

Select the destination zone if it exists at the time of member creation. Otherwise, the default virtual-wan-link zone is applied.

A new zone can be created within the GUI dropdown field.

Gateway/IPv6 Gateway

gateway/gateway6

Enter the default gateway for the interface. For interfaces that already have a default gateway, such as those configured using DHCP, this field is pre-populated in the GUI.

Cost

cost

Enter the cost of the interface for services in SLA mode (0 - 4294967295, default = 0). A lower cost has a higher preference.

Priority

priority

Enter the priority of the interface for IPv4 (1 - 65535, default = 1). The priority is used in the static route created for the SD-WAN member interface and in SD-WAN rules (including the implicit rule). When priority is used to determine the best route, the lower value takes precedence.

Status

status

Enable or disable the interface in SD-WAN.

n/a

source/source6

Set the source IP address used in the health check packet to the server.

To configure the SD-WAN members and add them to the default zone in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

  2. Set the Interface to WAN1.

  3. Leave the SD-WAN Zone as virtual-wan-link.

  4. Click OK.

  5. Repeat these steps to create SD-WAN members for the WAN2, VPN1, and VPN2 interfaces.

To configure the SD-WAN members and add them to the default zone in the CLI:
config system sdwan
    config members
        edit 1
            set interface "WAN1"
            set zone "virtual-wan-link"
        next
        edit 2
            set interface "WAN2"
            set zone "virtual-wan-link"
        next
        edit 3
            set interface "VPN1"
            set zone "virtual-wan-link"
        next
        edit 4
            set interface "VPN2"
            set zone "virtual-wan-link"
        next
    end
end

Configuring SD-WAN zones

While SD-WAN zones are primarily used to logically group interfaces that are often used for the same purpose (such as WAN1 and WAN2), sometimes an SD-WAN zone can have a single member. This is due to the constraint that SD-WAN members may not be referenced directly in policies; however, SD-WAN members can be referenced directly in SD-WAN rules.

In this example, two zones named Overlay and Underlay are configured, and the member interfaces are added to their respective zones.

To configure the SD-WAN zones in the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

  2. Click Create New > SD-WAN Zone.

  3. Enter the Name, Underlay.

  4. Set the Interface members to WAN1 and WAN2.

  5. Click OK.

  6. Repeat these steps to configure the Overlay zone with members VPN1 and VPN2.

To configure the SD-WAN zones in the CLI:
  1. Configure the SD-WAN zones:

    config system sdwan
        config zone
            edit "Overlay"
            next
            edit "Underlay"
            next
        end
    end
    
  2. Add the member interfaces to their respective zones:

    config system sdwan
        config members
            edit 1
                set interface WAN1
                set zone "Underlay"
            next
            edit 2
                set interface WAN2
                set zone "Underlay"
            next
            edit 3
                set interface VPN1
                set zone "Overlay"
            next
            edit 4
                set interface VPN2
                set zone "Overlay"
            next
        end
    end
    
  3. Note

    In the config zone settings, there is a service-sla-tie-break parameter that includes three options for the tie-break method used when multiple interfaces in a zone are eligible for traffic:

    • cfg-order: members that meet the SLA are selected in the order they are configured (default).

    • fib-best-match: members that meet the SLA are selected that match the longest prefix in the routing table.

    • input-device: members that meet the SLA are selected by matching the input device.

    See Overlay stickiness for more information.

Using SD-WAN zones

Once SD-WAN zones are defined, they can be used in firewall policies. This section covers three policy scenarios:

Note

SD-WAN zones are a critical component of SD-WAN rules. See Fields for configuring WAN intelligence for more information.

Datacenter resource access

Datacenter resources are made available through the VPN branches or overlay. In this example, there are two SD-WAN members in the overlay zone that the branch FortiGate can use to route traffic to and from the datacenter resource. The overlay zone is used as the destination in the firewall policy.

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    DC_Access

    Incoming Interface

    LAN

    Outgoing Interface

    Overlay

    Source

    Branch_LAN

    Destination

    DC_LAN

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.

Note

This firewall policy allows traffic to any interfaces included in the zone. The SD-WAN rules contain the intelligence used to select which members in the zone to use.

Direct internet access

Direct internet access (DIA) is how a branch may access resources contained on the public internet. This can be non-business resources (such as video streaming sites), or publically available business resources (such as vendor portals).

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    DIA

    Incoming Interface

    LAN

    Outgoing Interface

    Underlay

    Source

    Branch_LAN

    Destination

    all

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.

Remote internet access

Remote internet access (RIA) is the ability for a branch location to route public internet access requests across the overlay and out one of the hub's (or datacenter's) WAN interfaces. This option is effective when a branch has a WAN circuit with a local ISP and a second circuit that is private, such as MPLS. When the WAN circuit goes down, it is possible to send traffic through the hub using the MPLS overlay.

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    RIA

    Incoming Interface

    LAN

    Outgoing Interface

    Overlay

    Source

    Branch_LAN

    Destination

    all

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.

SD-WAN members and zones

SD-WAN bundles interfaces together into zones. Interfaces are first configured as SD-WAN members. This does not change the interface, it just allows SD-WAN to reference the interface as a member. SD-WAN member interfaces can be any interface supported by FortiGates, such as physical ports, VLAN interfaces, LAGs, IPsec tunnels, GRE tunnels, IPIP tunnels, and FortiExtender interfaces. Once SD-WAN members are configured, they can be assigned to a zone. Zones are used in policies as source and destination interfaces, in static routes, and in SD-WAN rules.

Multiple zones can be used to group SD-WAN interfaces for logical scenarios, such as overlay and underlay interfaces. Using multiple zones in policies allows for more granular control over functions like resource access and UTM access. Individual SD-WAN member interfaces cannot be used directly in policies, but they can be moved between SD-WAN zones at any time. If a member interface requires a special SD-WAN consideration, it can be put into an SD-WAN zone by itself.

SD-WAN zones and members can be used in IPv4 and IPv6 static routes to make route configurations more flexible. SD-WAN zones and members can be used in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules for more information.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

Topology

This topology is used in the following procedures:

Configuring SD-WAN member interfaces

When configuring SD-WAN zones and members, it does not matter what order they are defined. In this example, the members are defined first, and they will be placed temporarily in the default zone called virtual-wan-link. A zone must be defined when creating a member, and the overlay and underlay zones will created in the next procedure. It is standard practice to create SD-WAN members for each underlay and overlay interface, as most SD-WAN implementations apply SD-WAN intelligence to both underlay and overlay networks.

The following options can be configured for SD-WAN members:

GUI option

CLI option

Description

Interface

interface

Select the interface to use as an SD-WAN member. Optionally, select None in the GUI to not use an interface yet.

SD-WAN Zone

zone

Select the destination zone if it exists at the time of member creation. Otherwise, the default virtual-wan-link zone is applied.

A new zone can be created within the GUI dropdown field.

Gateway/IPv6 Gateway

gateway/gateway6

Enter the default gateway for the interface. For interfaces that already have a default gateway, such as those configured using DHCP, this field is pre-populated in the GUI.

Cost

cost

Enter the cost of the interface for services in SLA mode (0 - 4294967295, default = 0). A lower cost has a higher preference.

Priority

priority

Enter the priority of the interface for IPv4 (1 - 65535, default = 1). The priority is used in the static route created for the SD-WAN member interface and in SD-WAN rules (including the implicit rule). When priority is used to determine the best route, the lower value takes precedence.

Status

status

Enable or disable the interface in SD-WAN.

n/a

source/source6

Set the source IP address used in the health check packet to the server.

To configure the SD-WAN members and add them to the default zone in the GUI:
  1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.

  2. Set the Interface to WAN1.

  3. Leave the SD-WAN Zone as virtual-wan-link.

  4. Click OK.

  5. Repeat these steps to create SD-WAN members for the WAN2, VPN1, and VPN2 interfaces.

To configure the SD-WAN members and add them to the default zone in the CLI:
config system sdwan
    config members
        edit 1
            set interface "WAN1"
            set zone "virtual-wan-link"
        next
        edit 2
            set interface "WAN2"
            set zone "virtual-wan-link"
        next
        edit 3
            set interface "VPN1"
            set zone "virtual-wan-link"
        next
        edit 4
            set interface "VPN2"
            set zone "virtual-wan-link"
        next
    end
end

Configuring SD-WAN zones

While SD-WAN zones are primarily used to logically group interfaces that are often used for the same purpose (such as WAN1 and WAN2), sometimes an SD-WAN zone can have a single member. This is due to the constraint that SD-WAN members may not be referenced directly in policies; however, SD-WAN members can be referenced directly in SD-WAN rules.

In this example, two zones named Overlay and Underlay are configured, and the member interfaces are added to their respective zones.

To configure the SD-WAN zones in the GUI:
  1. Go to Network > SD-WAN and select the SD-WAN Zones tab.

  2. Click Create New > SD-WAN Zone.

  3. Enter the Name, Underlay.

  4. Set the Interface members to WAN1 and WAN2.

  5. Click OK.

  6. Repeat these steps to configure the Overlay zone with members VPN1 and VPN2.

To configure the SD-WAN zones in the CLI:
  1. Configure the SD-WAN zones:

    config system sdwan
        config zone
            edit "Overlay"
            next
            edit "Underlay"
            next
        end
    end
    
  2. Add the member interfaces to their respective zones:

    config system sdwan
        config members
            edit 1
                set interface WAN1
                set zone "Underlay"
            next
            edit 2
                set interface WAN2
                set zone "Underlay"
            next
            edit 3
                set interface VPN1
                set zone "Overlay"
            next
            edit 4
                set interface VPN2
                set zone "Overlay"
            next
        end
    end
    
  3. Note

    In the config zone settings, there is a service-sla-tie-break parameter that includes three options for the tie-break method used when multiple interfaces in a zone are eligible for traffic:

    • cfg-order: members that meet the SLA are selected in the order they are configured (default).

    • fib-best-match: members that meet the SLA are selected that match the longest prefix in the routing table.

    • input-device: members that meet the SLA are selected by matching the input device.

    See Overlay stickiness for more information.

Using SD-WAN zones

Once SD-WAN zones are defined, they can be used in firewall policies. This section covers three policy scenarios:

Note

SD-WAN zones are a critical component of SD-WAN rules. See Fields for configuring WAN intelligence for more information.

Datacenter resource access

Datacenter resources are made available through the VPN branches or overlay. In this example, there are two SD-WAN members in the overlay zone that the branch FortiGate can use to route traffic to and from the datacenter resource. The overlay zone is used as the destination in the firewall policy.

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    DC_Access

    Incoming Interface

    LAN

    Outgoing Interface

    Overlay

    Source

    Branch_LAN

    Destination

    DC_LAN

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.

Note

This firewall policy allows traffic to any interfaces included in the zone. The SD-WAN rules contain the intelligence used to select which members in the zone to use.

Direct internet access

Direct internet access (DIA) is how a branch may access resources contained on the public internet. This can be non-business resources (such as video streaming sites), or publically available business resources (such as vendor portals).

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    DIA

    Incoming Interface

    LAN

    Outgoing Interface

    Underlay

    Source

    Branch_LAN

    Destination

    all

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.

Remote internet access

Remote internet access (RIA) is the ability for a branch location to route public internet access requests across the overlay and out one of the hub's (or datacenter's) WAN interfaces. This option is effective when a branch has a WAN circuit with a local ISP and a second circuit that is private, such as MPLS. When the WAN circuit goes down, it is possible to send traffic through the hub using the MPLS overlay.

To configure the firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    RIA

    Incoming Interface

    LAN

    Outgoing Interface

    Overlay

    Source

    Branch_LAN

    Destination

    all

    Action

    ACCEPT

  3. Configure the other settings as needed.

  4. Click OK.