Configuring security policies for SD-WAN
After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to the interface list. You can create security policies using this SD-WAN interface.
You must configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface. You don’t need to configure multiple security policies for individual SD-WAN member interfaces because security policies that you configure with the SD-WAN interface apply to all SD-WAN member interfaces.
Configure security policies for SD-WAN – GUI
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- In the Name field, enter a name for the policy.
- Set Incoming Interface to the interface that connects to your organization’s internal network.
- In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
- In the Source field, select +. In the Select Entries window, select all. Select Close.
- In the Destination field, select +. In the Select Entries window, select all. Select Close.
- In the Schedule field, select always from the drop-down menu.
- In the Service field, select +. In the Select Entries window, select ALL. Select Close.
- In the Action field, select ACCEPT.
- In the Firewall/Network Options section, set the following:
- Enable NAT.
- In the IP Pool Configuration field, select Use Outgoing Interface Address.
- In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application Control, and SSL Inspection profiles, as required.
- In the Logging Options section, set the following:
- Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results later.
- Enable the Enable this policy option.
- Select OK.
If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface
Configure security policies for SD-WAN – CLI
config firewall {policy | policy6}
edit <policy_id>
set name <policy_name>
set srcintf <interface_name>
set dstintf virtual-wan-link
set srcaddr <address_name>
set dstaddr <address_name>
set action accept
set status enable
set schedule <schedule_name>
set service <service_name>
set utm-status enable
set logtraffic all
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set application-list <app_list>
set ssl-ssh-profile <profile_name>
set nat enable
set ippool enable
set poolname <pool_name>
next
end
where:
virtual-wan-link
is the SD-WAN interfacednsfilter-profile
option isn't available for IPv6, since IPv6 isn't supported for DNS profiles