Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbarrios
Staff
Staff

Created on ‎08-11-2024 04:37 AM Edited on ‎01-28-2025 10:58 PM By Community Manager

Article Id 332020

Technical Tip: How to remove an interface from SD-WAN zone via CLI

Description

This article describes how to delete the interface member from the SD-WAN zone.
Scope

FortiGate.
Solution

The delete option is available via the command line interface under SD-WAN - Config members.

 

  1. Access the SD-WAN configuration: 

FortiGate# config system sdwan
FortiGate(sdwan) # show
config system sdwan
    set status enable
        config zone
            edit "virtual-wan-link"
        end
        config members
            edit 1
                set interface "wan1"
                set zone "virtual-wan-link"
            next
            edit 2
                set interface "wan2"
                set zone "virtual-wan-link"
            next
            edit 3
                set interface "port1"
                set zone "virtual-wan-link"
            next
       end
    
  1. Get into the members with the command 'config members': 
     
    FortiGate(sdwan) # config members 
     
  2. Delete the interface member with the listed ID:
     
    FortiGate(members) # delete 
    seq-num    Sequence number(1-512).
    1  wan1   SD-WAN Zone   
    2  wan2   SD-WAN Zone   
    3  port1   virtual-wan-link   
     
    FortiGate(members) # delete 3 
    FortiGate(members) # end

  3. After deleting the SD-WAN member, verify the member is properly removed from the configuration:

 

  show system sdwan

 

To ensure SD-WAN is functioning correctly after the change, use the following command:

 

diagnose sys sdwan health-check

 

In these cases, the following error is seen. Make sure to remove any items where the SD-WAN zone is being referenced first, such as static routes, policies, etc:

 

KB LAST.jpg

 

To verify a reference object with an SD-WAN interface in the CLI, use the following steps:


diagnose sys cmdb refcnt show <path.object.mkey>

Or:


show full-configuration | grep -f wan1

 

Example:

 

diagnose sys cmdb refcnt show system.interface.name wan1
entry used by table system.interface:name 'advpn1'
entry used by table vpn.ipsec.phase1-interface:name 'advpn1'
entry used by child table dstintf:name 'wan1' of table firewall.policy:policyid '1'
entry used by child table dstintf:name 'wan1' of table firewall.policy:policyid '2'
entry used by table router.static:seq-num '1'

 

Related articles:

Unable to delete SD-WAN Interface - Fortinet Community

Configuring SD-WAN - Fortinet Community
Labels:
3708
Suggest New Article
Article Feedback
Comments
GILMENDO
Staff
Staff
‎01-27-2025 04:27 PM

@vbarrios great job thank you!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.