Skip to main content
Kenny_loves_Nascar
Kenny_loves_Nascar
Explorer
December 31, 2024
Solved

FortiManager doesn't understand local-in policies on SD-WAN zone

  • December 31, 2024
  • 3 replies
  • 6362 views

Fortinet changed the way local-in-policies are created when an interface is part of an SD-WAN zone. From 7.4.6 and 7.6.1, the local-in policy is assigned to the SD-WAN zone instead of the interface as explained in the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-in-Policy-is-Missing-after-upgrading-to-v7-4/ta-p/367001

 

This is great, however I'm dealing with issues now when I change these local-in-policies on the FortiManager. We run FortiManager 7.4.6. FortiManager 7.4.6 appears to not understand this new behaviour. I get a warning that I can't assign a local-in-policy to an SD-WAN zone when I create a local-in-policy in a policy package that's only assigned to firewalls that run FortiOS 7.4.6. That's quite annoying when you manage all your local-in-policies from the FortiManager. Is this intended behaviour in FortiOS 7.4.6 and if so, is there a fix on the way to bring this in line with FortiOS 7.4.6?

Best answer by dingjerry_FTNT

Hi @Jeremy5385 ,

 

This is a bug. You may try with CLI template/Script as a workaround.

3 replies

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 31, 2024

Hi @Kenny_loves_Nascar ,

 

This is a bug and we have an existing Mantis 1110780 for this bug.  The Fix schedule is set to FMG 7.4.7.

    Jeremy5385
    Jeremy5385
    Visitor III
    December 31, 2024

    I'm running into the same thing with upgrading a FGT to 7.4.6 and using FMG 7.6.2.  The FGT errors on receiving pushes with the individual ports (that are in SDWAN) to local-in polices, and FMG errors on pushing local-in policies that have SDWAN zones.  Frustrating.  I have opened a Support ticket for resolution and have not heard back yet.

    dingjerry_FTNT
    Staff
    dingjerry_FTNTAnswer
    Staff
    December 31, 2024

    Hi @Jeremy5385 ,

     

    This is a bug. You may try with CLI template/Script as a workaround.

    Jeremy5385
    Jeremy5385
    Visitor III
    December 31, 2024

    Thanks!  I figured I was going to have to manually add my local-in polices using CLI (and the dependencies) for the time being.  With FMG pushing at a standstill, is there going to be a fast resolution as everything going forward is going to be having to be manually implemented as to not delete the manual config?  

    HekateSwitch
    HekateSwitch
    New Member
    January 1, 2025

    To resolve the issue of FortiManager not recognizing local-in policies on SD-WAN zones, ensure correct SD-WAN zone configuration, properly apply local-in policies to the SD-WAN interface, and verify firmware compatibility. Also, check for any policy sync issues and review logs for error details.

    Terms & ConditionsAccessibility statement