Just to add some information. SDWAN zones are just zones. Only difference is that in 6.2 you were able to to use each member of SDWAN is firewall policy separately. From 6.4, you will need to use zones to do it. Idea is, if you are mixing interfaces in SDWAN, for example internet access and VPN interfaces, you should create 2 zones. One for internet access and second for VPN and assign each interface based on the role. And then you can use SDWAN zones in firewall policies, static routes etc. If you will use only single sdwan zone, you will be forced to create 1 firewall policy for all interfaces, that can potentially allow leave corporate traffic via internet link, which is not best practice.