Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

Legacy WAN migration to SD-WAN?

My setup is that of your traditional legacy WAN hub (data center) and spoke (branch sites). Currently, my only Internet access is at my data center. Even though they are on private WAN connections, the branch locations' connection to the WAN is via FortiGate (for traffic inspection purposes away from the data center).

 

I am in the process of adding Internet connectivity to each of these branch sites (will also add secondary Internet connectivity at the data center as well in the near future). I have a fair grasp of what needs to be done and following the hub/spoke guidelines in the SD-WAN Branch Deployment Guide documentation; however, what I am missing is process/procedures or caveats in migrating an existing used interface over to a new zone. So what I mean is, if I have my existing interface in a WAN zone and policies are applied to that zone, will I be able to easily move that interface to the new SD-WAN zone? I know I cannot do anything with the interface while it references something, so I know I have to deal with these things, but I am just trying to make sure I am thinking of everything and have "all my i's dotted and t's crossed" as it were. I know once I move my interface, I will have to change all of my policies to reflect to the new SD-WAN zone.

 

Hoping someone that has done this can chime in and give some additional thoughts or guidance in case I am missing something.

1 Solution
gfleming
Staff
Staff

You can use the Interface Migration Wizard to assist you here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/885870/interface-migration-w...

 

I would definitely suggest testing this during a maintenance window to ensure everything works as expected. But this should take most of the headaches and pain away when moving from legacy to SD-WAN configuration on your existing FortiGates.

Cheers,
Graham

View solution in original post

5 REPLIES 5
AEK
Honored Contributor

Hello

First, it doesn't matter if you fail the first and second try but the most important is to have a quick, clear and valid rollback procedure.

Try prepare your interface migration (the whole procedure or some) by CLI commands in a text file. Then just run it on CLI script when you want to migrate.

Here is a overall scenario:

  1. Make a backup of your system FGT config
  2. Create a SD-WAN interface with a dummy interface (unused)
  3. In your CLI text file, for every policy ID that is using the physical WAN interface, replace this interface with SD-WAN interface name. E.g. :
    config firewall policy
      edit 4
        set dstif sd-wan
    ...
  4. Run the script on your FGT in one shot
  5. Delete the default gateway (usually it is the WAN interface)
  6. The old physical WAN interface is not used anymore, so you can encapsulate it in your SD-WAN interface, and remove the dummy interface
  7. Add a default gateway using the SD-WAN interface
  8. Test
  9. If it doesnt wotj then you have time to troubleshoot until the end of your maintenance window
  10. If time is up then execute your rollback procedure (e.g.: restore and reboot)

Hope it helps

 

AEK
AEK
gfleming
Staff
Staff

You can use the Interface Migration Wizard to assist you here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/885870/interface-migration-w...

 

I would definitely suggest testing this during a maintenance window to ensure everything works as expected. But this should take most of the headaches and pain away when moving from legacy to SD-WAN configuration on your existing FortiGates.

Cheers,
Graham
Cajuntank

OMG, how did I miss this? I confirmed this is also applicable with fortiOS 7.0.9, which is the code rev I am on. I will have to play around with this, but it looks extremely promising. Thanks.

Cajuntank

I attempted this today and that worked fairly well. It failed once with something due to the interface being tied to OSPF, then it let me attempt again and the option was to remove it from OSPF, which I did, though when I compared the configs, the OSPF config was the same as before. I had to manually change my policies over to new SD-WAN zone from old zone (did not know if the process would do that automatically too) but all looked and tested good.

AEK
Honored Contributor

I totally forgot this. I'm definitely still old school.

Thanks Graham.

AEK
AEK
Labels
Top Kudoed Authors