Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎05-25-2020 05:30 AM

Article Id 193451

Technical Tip: Conflict when adding referenced interfaces that are part of SD-WAN to a zone under ‘config system zone’

Description
This article describes why it is not possible to add interfaces that are part of SD-WAN to another zone, due to the interfaces references.

Solution
SD-WAN itself acts as a zone that further contains the interface as member.
Once the interfaces are added to SD-WAN, it cannot be added to another zone.
This is by design on FortiOS.
# config system virtual-wan-link
    set status enable
        # config members
            edit 1
                set interface "wan1"                          <----- WAN1 part of SD-WAN.
            end
    end
Interface WAN1 in the above example cannot be added to a zone created under ‘# config system zone’.
Not being able to add the same interface to another zone will look like:
# config system zone
(zone) edit zone_test01
new entry 'zone_test01' added
(zone_test01) set interface wan1
entry not found in datasource
value parse error before 'wan1'
Command fail. Return code -3
Note.
Same is true for two different zones.

Consider creating one zone with interfaces in it, on top of that, if another zone is created with the same interfaces, it is not supported by FortiGate because it has already been added the interface to a zone.
Zone on FortiGate considers only the interfaces that are not referenced in another zone/SD-WAN.

Already existing zone:
# show system zone
    # config system zone
        edit "zone_test01"
            set interface "wan2"
        next
    end
Creating a new zone and trying to add same WAN2 interface to it:
(zone) # edit zone_test02
new entry 'zone_test02' added
 
(zone_test02) set interface
*interface-name                                               <----- Select interfaces to add to the zone.
dmz    interface
Interfaces which need to be added to zones or SD-WAN, do not have to be referenced elsewhere, e.g. be grouped in a zone or SD-WAN.
Hence, there is no option to add the already referenced interface Wan2 to another zone.

To add the interface, remove the zone/SD-WAN references or memberships of it.

Labels:
4094
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.