Moving to SD-Wan from Traditional Link Failover

We are considering moving over from the traditional link failover method to using the SD-Wan features of FortiOS 5.6.    It can get a complicated when you start throwing in redundant WAN interfaces, redundant IPSEC VPN Tunnels,  eBGP,  IPv6, etc.

So hopefully this is a simple question.   We have a requirement that if the primary WAN link goes down that some of our VLANS do not get any internet.  (e.g.  complementary wifi, etc)   I am able to accomplish this with specific firewall policies to WAN1 and WAN2 interface.   However with SD-WAN all policies now go to the new SD-Wan virtual interface.    

So how do I accomplish "cutting" off internet access if the primary link fails when using SD-WAN?