- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create SDWAN after the fact
We already have a FortiNet in place with "outbound" policies pointing to WAN1 because we were going to use an ISP aggregator in front of the FortiNet. Now things have changed and management no longer wants to use the ISP aggregator and use the built in FortiNet SDWAN. I don't have much experience with SDWAN on the Fortinet. Since I already have rules in place, can I just create an SDWAN Zone with just WAN2 (no rules currently are on WAN2 so I can add him). Once that is done I make a backup of my config, open it in notepad++ and change all my WAN1 destinations to the newly created SDWAN Zone instead. Then when WAN1 doesn't have any policies assigned to it anymore, it could also be added to the SDWAN Zone? Is that about it? Or are there other 'gotchas' I need to worry about? Like default gateways or something? I'd be doing this remotely (I'm in the US and the FortiNet in question is in AUS). While I can have smart hands on site to do a restore of a backup config if my new config doesn't work, they are only smart hands. Can't really do much troubleshooting.
What about VPNs? Will they be effected at all by SDWAN zones?
I see a lot of 'how to' setup the SDWAN but everyone that I've seen so far is assuming a factory reset device, not something that's already in production.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @IrbkOrrum
This is doable, but requires careful planning and a maintenance window. Make sure that during the implementation, there's someone there that can provide you remote access to the Fortigate unit, so you can troubleshoot it if you lose remote access.
You can use this function to migrate a physical port to a SD-WAN Zone, even if it has references:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One comment I have is, since you have to be connected remotely while two wan connections (non SD-WAN and SD-WAN) are up, I would set a specific static route for your source IP (/32) toward the current/non SD-WAN interface. So that even when something unexpected happens for the parallel default routes or in case you have to disable/remove the default route toward the current wan you still have access to it.
Good luck.
Toshi
