Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Create SDWAN after the fact

We already have a FortiNet in place with "outbound" policies pointing to WAN1 because we were going to use an ISP aggregator in front of the FortiNet.  Now things have changed and management no longer wants to use the ISP aggregator and use the built in FortiNet SDWAN.  I don't have much experience with SDWAN on the Fortinet.  Since I already have rules in place, can I just create an SDWAN Zone with just WAN2 (no rules currently are on WAN2 so I can add him).  Once that is done I make a backup of my config, open it in notepad++ and change all my WAN1 destinations to the newly created SDWAN Zone instead.  Then when WAN1 doesn't have any policies assigned to it anymore, it could also be added to the SDWAN Zone?  Is that about it?  Or are there other 'gotchas' I need to worry about?  Like default gateways or something?  I'd be doing this remotely (I'm in the US and the FortiNet in question is in AUS).  While I can have smart hands on site to do a restore of a backup config if my new config doesn't work, they are only smart hands.  Can't really do much troubleshooting. 

What about VPNs?  Will they be effected at all by SDWAN zones? 

I see a lot of 'how to' setup the SDWAN but everyone that I've seen so far is assuming a factory reset device, not something that's already in production.

2 REPLIES 2
ebrlima
Staff
Staff

Hello @IrbkOrrum 

 

This is doable, but requires careful planning and a maintenance window. Make sure that during the implementation, there's someone there that can provide you remote access to the Fortigate unit, so you can troubleshoot it if you lose remote access.

 

You can use this function to migrate a physical port to a SD-WAN Zone, even if it has references:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-the-interface-in-SD-WAN-member-...

 

 

Eudes Lima
Toshi_Esumi
SuperUser
SuperUser

One comment I have is, since you have to be connected remotely while two wan connections (non SD-WAN and SD-WAN) are up, I would set a specific static route for your source IP (/32) toward the current/non SD-WAN interface. So that even when something unexpected happens for the parallel default routes or in case you have to disable/remove the default route toward the current wan you still have access to it.

Good luck.

Toshi

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors