Created on ‎04-06-2022 10:42 PM Edited on ‎10-02-2024 02:22 AM By Anthony_E
Description
This article describes the SD-WAN design on FortiManager 7.0 and above has changed from normalized interface and per unit mappings using ADOM Layer to Meta Fields in Device Layer.
Using Meta fields simplify the way SD-WAN is configure, by creating dynamic values in SD-WAN Templates.
Scope
This article helps administrators to understand what is needed to do, in order to update FortiManager configuration from Per Device Mappings to Meta Fields in FortiManager when it is upgraded from 6.4 to 7.0.
Keep in mind this is not done automatically and it is necessary to do it manually.
Solution
The new SD-WAN Template design uses Meta Field Type: 'Device VDOM' where it is possible to configure 'Dynamic Values'.
It is possible to create one in from:
System Settings -> Advanced-> Meta Fields, select 'Create new' -> Type: 'Device VDOM'.
Or:
On the SD-WAN Template, if '$' is typed, there will automatically be the option '[Create New...]'.
Option '[Create New...]' will be shown on available options like.
- Interface Name.
- Gateway.
- Neighbor IP.
- Normally, the user will only use dynamic values on Interface names and Gateways.
- To have another dynamic value that is not 'Interface Name', 'IPv4 Gateway', and 'Neighbor IP', need to open a support ticket and explain which value is necessary to use.
Example.
In this example, there is an SD-WAN Template named as 'SD-WAN Template' with a 'Zone_SD_WAN' system interface name.
- Topology: three different FortiGates with three internet connections (different ports, different gateways).
It is necessary to manually configure Meta Fields for 'Interface Name' and 'Gateway' each one, one per one.
- Meta fields created:
WAN1 (Dynamic Interface name)
WAN2 (Dynamic Interface name)
WAN3 (Dynamic Interface name)
GW_WAN1 (Dynamic gateway)
GW_WAN2 (Dynamic gateway)
GW_WAN3 (Dynamic gateway)
Interface names.
It is possible to see on 'FGT1' members of 'Zone_SD_WAN':
- WAN.
- LAN2.
- LAN3.
It is possible to see on 'FGT2' members of 'Zone_SD_WAN':
- WAN1.
- Port7.
- Port13.
It is possible to see 'FGT3' members of 'Zone_SD_WAN':
- PortA.
- Port24.
- Port32.
Gateways.
It is possible to see gateways for member interfaces in 'FGT1' 'Zone_SD_WAN':
- WAN: 192.168.1.1.
- AN2: 0.0.0.0.
- LAN3: 78.4.5.6.
It is possible to see gateways for member interfaces in 'FGT2' 'Zone_SD_WAN':
- Wan1: 45.45.45.6.
- Port7: 78.95.63.25.
- Port13: 0.0.0.0.
It is possible to see Gateways for member interfaces in 'FGT3' 'Zone_SD_WAN':
- PortA: 172.16.1.35.
- Port24: 189.15.6.6.
- Port32: 8.9.6.56.
In FortiGate v7.0 SD-WAN is:
config system sdwan
In FortiGate some v6.4 OS versions of SD-WAN is:
conf system virtual-wan-lin
It is always possible to check FortiGate CLI.
Bonus:
To add a new interface into the SD-WAN Zone, it is necessary to consider that the interface is not used in any configuration like policies.
Example.
This user is trying to add a WAN interface to the SD-WAN and gets this error message:
> add reference fail: command(set system sdwan members.2:interface wan) detail(datasrc invalid. object: system sdwan members interface. detail: wan. solution: data cannot be used. reason: invalid value - prop[interface]: firewall policy dstintf(wan) can not be used in system sdwan members.
)SECURITY_CONSOLE: (1) [FGT1[copy] root] Commit failed: datasrc invalid. object: system sdwan members.2:interface. detail: wan. solution: datasrc invalid (reason:none)
It is possible to see on the device layer, that the WAN interface is in use.
Once that policy is deleted, it is possible to install the SD-WAN template.
It is possible to later, recreate policy adding SD-WAN that now includes the WAN interface.
It is always possible to troubleshoot with this debug command:
diagnose debug application securityconsole 255
diagnose debug enable
Reference of Special notice upgrading to v7.0:
Related articles:
Troubleshooting Tip: Troubleshooting the FortiManager SD-WAN monitor
Technical Tip: Automating migration of SD-WAN configuration with FortiManager tool