Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
samandeep
Staff
Staff

Created on ‎12-26-2024 06:46 AM Edited on ‎12-26-2024 06:48 AM By Community Manager

Article Id 366774

Technical Tip: SD-WAN zone in Local-in Policy

Description This article explains that the SD-WAN zone can be added to a local-in policy.
Scope FortiGate v7.4.6 and above.
Solution

Starting from v7.4.6 and in v 7.6.x, SD-WAN zones can also be selected as an interface in the firewall local-in policy. In previous versions, only individual interfaces were available for selection.

 

For Example :

 

config firewall local-in-policy
    edit 1
set intf "Underlay"

                 any                      Match any interface in the virtual domain.
                 virtual-wan-link         sdwan
                 Underlay                 sdwan
                 ADVPN                    sdwan
                 Test for localin         sdwan
                 fortilink                 interface
                 naf.root                  interface
                 port3                     interface
                 port5                     interface
                 port6                     interface
                 port7                     interface
                 port8                     interface


set srcaddr "all"
set dstaddr "all"
set service "PING"
set schedule "always"
next
end

 

Config system sdwan

    config members
       edit 2
       set interface "port2"
       set zone "Underlay"
       set gateway 10.9.15.254
       set priority 5
       next
       edit 4
       set interface "port4"
       set zone "Underlay"
       set gateway 10.10.10.5
       set priority 5
       next

    end

end

 

In v7.6.x, the GUI allows the configuration of local-in policies. Although interfaces that are members of an SD-WAN zone are visible in the list, selecting them will prevent the policy from being saved and result in an error.

 

In contrast, when using the CLI, interfaces that are members of an SD-WAN zone will not be presented as available options.

 

As shown in the screenshot below, Internal2 is a member of an SD-WAN zone, and selecting this individual interface in the local-in policy generates an error.

 

  eror.PNG

 

 

For more information on local-in policies, refer to our documentation/resources:

Local-in policy | FortiGate / FortiOS 7.6.1 | Fortinet Document Library

 

62
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.