Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
March 13, 2025
Question

Create SDWAN after the fact

  • March 13, 2025
  • 2 replies
  • 918 views

We already have a FortiNet in place with "outbound" policies pointing to WAN1 because we were going to use an ISP aggregator in front of the FortiNet.  Now things have changed and management no longer wants to use the ISP aggregator and use the built in FortiNet SDWAN.  I don't have much experience with SDWAN on the Fortinet.  Since I already have rules in place, can I just create an SDWAN Zone with just WAN2 (no rules currently are on WAN2 so I can add him).  Once that is done I make a backup of my config, open it in notepad++ and change all my WAN1 destinations to the newly created SDWAN Zone instead.  Then when WAN1 doesn't have any policies assigned to it anymore, it could also be added to the SDWAN Zone?  Is that about it?  Or are there other 'gotchas' I need to worry about?  Like default gateways or something?  I'd be doing this remotely (I'm in the US and the FortiNet in question is in AUS).  While I can have smart hands on site to do a restore of a backup config if my new config doesn't work, they are only smart hands.  Can't really do much troubleshooting. 

What about VPNs?  Will they be effected at all by SDWAN zones? 

I see a lot of 'how to' setup the SDWAN but everyone that I've seen so far is assuming a factory reset device, not something that's already in production.

2 replies

ebrlima
Staff
ebrlima
Staff
March 13, 2025

Hello @IrbkOrrum 

 

This is doable, but requires careful planning and a maintenance window. Make sure that during the implementation, there's someone there that can provide you remote access to the Fortigate unit, so you can troubleshoot it if you lose remote access.

 

You can use this function to migrate a physical port to a SD-WAN Zone, even if it has references:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-the-interface-in-SD-WAN-member-without/ta-p/257907/redirect_from_archived_page/true

 

 

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 13, 2025

    One comment I have is, since you have to be connected remotely while two wan connections (non SD-WAN and SD-WAN) are up, I would set a specific static route for your source IP (/32) toward the current/non SD-WAN interface. So that even when something unexpected happens for the parallel default routes or in case you have to disable/remove the default route toward the current wan you still have access to it.

    Good luck.

    Toshi

      IrbkOrrum
      IrbkOrrumAuthor
      Explorer III
      March 27, 2025

      I ended up not needing to do what I thought I would, however your suggestion is very helpful because you can't have a SDWAN default gateway and a default gateway.  I would have to change the default gateway to be a specific static route to my remote IP, so that I could put in the SDWAN default gateway.  That's a great idea and perhaps someone else in the future will find this post and be able to use that information. 

      Terms & ConditionsAccessibility statement