Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lincoweb
New Contributor II

Addition of existing Interfaces with references to new SD-WAN zone

Hi Guys,

Just seeking some confirmation here. We have a fortigate cluster with the following model/version:

#config-version=FG200E-6.4.7-FW-build1911-21082

Currently, we have 2 Internet links in use with no SD-WAN configuration. We would like to implement SD-WAN for these 2 links. Each interface in question has approximately 40 references in the following config sections:

  • Firewall Policy
  • DoS Policy
  • Static Routes
  • System HA
  • System Interface (site-to-site tunnel)
  • VPN IPsec Phase 1 Interface (seems to be same as above)
  • VPN SSL Settings
  • Virtual IP

I would like to know which, if any of there references are not required to be removed before the interface can be available for inclusion into the SDWAN zone. Additionally, after the interfaces have been successfully added, based on your experience, should there be any expected issues adding back the individual interfaces to any of the configs we removed them from (eg. VIPs)? Also, given the OS version and build stated at the top of this post, are there any limitations in the usage of the SDWAN zone in further configurations eg. static routing (the idea is to have a default static route pointing to the SDWAN zone as the next hop).

 

Thanks in advance for your help

4 REPLIES 4
adambomb1219
Contributor III

All of them and yes you should upgrade your FortiOS to the latest 6.4 or better yet latest 7.0.

lincoweb

Thanks,

Is there any way to execute this procedure by saving the config file and making the edits via a text editor, then restoring the edited config? Rather than the arduous task of removing and restoring references via the GUI? 

adambomb1219

Sure that would work.  

kgeorge
Staff
Staff

Hello,

 

Following will not hinder while adding the interface to the SD-WAN. That is, even if an interface is part of the below configuration, it could still be included in SD-WAN.

 

  • Static Routes
  • System Interface (site-to-site tunnel)
  • VPN IPsec Phase 1 Interface (seems to be same as above)
  • VPN SSL Settings
  • Virtual IP

Once the SD-WAN is configured, their individual interfaces cannot be used in Firewall Policies. However, can be used in Policy Route or SD-WAN rules.

 

In Static Routes, we can have either Individual Static Routes or SD-WAN Static Route, not both or mixed.

When SDWAN is configured, it is indeed recommended to remove Individual routes and add SDWAN for proper and expected routings.

 

Hope this helps.

 

Regards,

Klint George

Regards,
Klint George
Labels
Top Kudoed Authors