Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
axel_gonzalez_FTNT
Staff
Staff

Created on ‎04-06-2022 10:42 PM Edited on ‎05-11-2023 07:18 AM By Moderator

Article Id 208614

Technical Tip: New Logic of SD-WAN templates for FortiManager 7.0 and above

Description

 

This article describes the SD-WAN design on FortiManager 7.0 and above has changed from normalized interface and per unit mappings using ADOM Layer to Meta Fields in Device Layer.

 

Using Meta fields simplify the way SD-WAN is configure, by creating dynamic values in SD-WAN Templates.

 

Scope

 

This article helps administrators to understand what is needed to do, in order to update FortiManager configuration from Per Device Mappings to Meta Fields in FortiManager when it is upgraded from 6.4 to 7.0.

Keep in mind this is not done automatically and it is necessary to do it manually.

 

Solution

 

New SD-WAN Template design uses Meta Field Type: 'Device VDOM' where it is possible to configure 'Dynamic Values'.

 

It is possible to create one in from:

System Settings -> Advanced-> Meta Fields, select 'Create new' -> Type: 'Device VDOM'.

 

axel_gonzalez_FTNT_3-1648854669614.png

 

Or:

 

On SD-WAN Template, if '$' is typed, there will automatically be the option '[Create New...]'.

 

Option '[Create New...]' will be shown on available options like.

 

- Interface Name.

 

axel_gonzalez_FTNT_2-1648854563038.png

 

- Gateway.

 

axel_gonzalez_FTNT_4-1648854820789.png

 

- Neighbor IP.

 

axel_gonzalez_FTNT_1-1648854515535.png

 

- Normally the customer will only use dynamic values on Interface names and Gateways.

 

- To have another dynamic value that is not 'Interface Name', 'IPv4 Gateway' and 'Neighbor IP' , need to open a support ticket and explain which value is necessary to use.

 

Example.

 

In this example, there is SD-WAN Template named as 'SD-WAN Template' with 'Zone_SD_WAN' system interface name.

 

axel_gonzalez_FTNT_10-1648857129530.png

 

- Topology: three different FortiGates with three internet connections (different ports, different gateways). 

axel_gonzalez_FTNT_0-1648854178871.png

 

It is necessary to manually configure Meta Fields for 'Interface Name' and 'Gateway' each one, one per one.

 

- Meta fields created:

 

WAN1 (Dynamic Interface name)

WAN2 (Dynamic Interface name)

WAN3 (Dynamic Interface name)

GW_WAN1 (Dynamic gateway)

GW_WAN2 (Dynamic gateway)

GW_WAN3 (Dynamic gateway)

 

 

axel_gonzalez_FTNT_5-1648855253894.png

 

Interface names.

 

It is possible to see on 'FGT1' members of 'Zone_SD_WAN':

 

- WAN.

- LAN2.

- LAN3.

 

axel_gonzalez_FTNT_7-1648856474434.png

 

It is possible to see on 'FGT2' members of 'Zone_SD_WAN':

 

- WAN1.

- Port7.

- Port13.

 

axel_gonzalez_FTNT_8-1648856806009.png

 

It is possible to see 'FGT3' members of 'Zone_SD_WAN':

 

- PortA.

- Port24.

- Port32.

 

axel_gonzalez_FTNT_9-1648857030972.png

 

Gateways.

 

It is possible to see gateways for member interfaces in 'FGT1' 'Zone_SD_WAN':

 

- WAN: 192.168.1.1.

- LAN2: 0.0.0.0.

- LAN3: 78.4.5.6.

 

axel_gonzalez_FTNT_0-1649284462074.png

 

It is possible to see gateways for member interfaces in 'FGT2' 'Zone_SD_WAN':

 

- Wan1: 45.45.45.6.

- Port7: 78.95.63.25.

- Port13: 0.0.0.0.

 

axel_gonzalez_FTNT_1-1649285092743.png

 

It is possible to see Gateways for member interfaces in 'FGT3' 'Zone_SD_WAN':

 

- PortA: 172.16.1.35.

- Port24: 189.15.6.6.

- Port32: 8.9.6.56.

 

axel_gonzalez_FTNT_2-1649285256629.png

 

In FortiGate 7.0 SD-WAN is:

 

config system sdwan

 

In FortiGate some 6.4 OS versions SD-WAN is:

 

conf system virtual-wan-lin

 

It is always possible to check FortiGate CLI.

 

Bonus.

 

To add a new interface into SD-WAN Zone, it is necessary to consider that interface is not used in any configuration like policies.

 

Example.

 

This user is trying to add a WAN interface to the SD-WAN and gets this error message:

 

> add reference fail: command(set system sdwan members.2:interface wan) detail(datasrc invalid. object: system sdwan members interface. detail: wan. solution: data cannot be used. reason: invalid value - prop[interface]: firewall policy dstintf(wan) can not be used in system sdwan members.
)SECURITY_CONSOLE: (1) [FGT1[copy] root] Commit failed: datasrc invalid. object: system sdwan members.2:interface. detail: wan. solution: datasrc invalid (reason:none)

 

axel_gonzalez_FTNT_3-1649285676480.png

 

It is possible to see on the device layer, that the WAN interface is in use.

 

axel_gonzalez_FTNT_4-1649285700163.png

 

Once that policy is deleted, it is possible to install the SD-WAN template.

 

axel_gonzalez_FTNT_6-1649285831733.png

 

It is possible to later, recreate policy adding SD-WAN that now includes the WAN interface.

 

It is always possible to troubleshoot with this debug command:

 

diagnose debug application securityconsole 255

diagnose debug enable

 

Reference of Special notice upgrading to 7.0:

https://docs.fortinet.com/document/fortimanager/7.0.3/release-notes/519207/special-notices

 

Related article:

Troubleshooting Tip: Troubleshooting the FortiManager SD-WAN monitor

Technical Tip: Automating migration of SD-WAN configuration with FortiManager tool

4917
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.