Technical Tip: Conflict when adding referenced interfaces that are part of SD-WAN to a zone under ‘config system zone’
Description
This article describes why it is not possible to add interfaces that are part of SD-WAN to another zone, due to the interfaces references.
Solution
SD-WAN itself acts as a zone that further contains the interface as member.
Once the interfaces are added to SD-WAN, it cannot be added to another zone.
This is by design on FortiOS.
# config system virtual-wan-link
set status enable
# config members
edit 1
set interface "wan1" <----- WAN1 part of SD-WAN.
end
end
Interface WAN1 in the above example cannot be added to a zone created under ‘# config system zone’.
Not being able to add the same interface to another zone will look like:
# config system zone
(zone) edit zone_test01
new entry 'zone_test01' added
(zone_test01) set interface wan1
entry not found in datasource
value parse error before 'wan1'
Command fail. Return code -3
Note.
Same is true for two different zones.
Consider creating one zone with interfaces in it, on top of that, if another zone is created with the same interfaces, it is not supported by FortiGate because it has already been added the interface to a zone.
Zone on FortiGate considers only the interfaces that are not referenced in another zone/SD-WAN.
Already existing zone:
# show system zone
# config system zone
edit "zone_test01"
set interface "wan2"
next
end
Creating a new zone and trying to add same WAN2 interface to it:
(zone) # edit zone_test02
new entry 'zone_test02' added
(zone_test02) set interface
*interface-name <----- Select interfaces to add to the zone.
dmz interface
Interfaces which need to be added to zones or SD-WAN, do not have to be referenced elsewhere, e.g. be grouped in a zone or SD-WAN.
Hence, there is no option to add the already referenced interface Wan2 to another zone.
To add the interface, remove the zone/SD-WAN references or memberships of it.