Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Legacy WAN migration to SD-WAN?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Legacy WAN migration to SD-WAN?
My setup is that of your traditional legacy WAN hub (data center) and spoke (branch sites). Currently, my only Internet access is at my data center. Even though they are on private WAN connections, the branch locations' connection to the WAN is via FortiGate (for traffic inspection purposes away from the data center).
I am in the process of adding Internet connectivity to each of these branch sites (will also add secondary Internet connectivity at the data center as well in the near future). I have a fair grasp of what needs to be done and following the hub/spoke guidelines in the SD-WAN Branch Deployment Guide documentation; however, what I am missing is process/procedures or caveats in migrating an existing used interface over to a new zone. So what I mean is, if I have my existing interface in a WAN zone and policies are applied to that zone, will I be able to easily move that interface to the new SD-WAN zone? I know I cannot do anything with the interface while it references something, so I know I have to deal with these things, but I am just trying to make sure I am thinking of everything and have "all my i's dotted and t's crossed" as it were. I know once I move my interface, I will have to change all of my policies to reflect to the new SD-WAN zone.
Hoping someone that has done this can chime in and give some additional thoughts or guidance in case I am missing something.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the Interface Migration Wizard to assist you here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/885870/interface-migration-w...
I would definitely suggest testing this during a maintenance window to ensure everything works as expected. But this should take most of the headaches and pain away when moving from legacy to SD-WAN configuration on your existing FortiGates.
Cheers,
Graham
Graham
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
First, it doesn't matter if you fail the first and second try but the most important is to have a quick, clear and valid rollback procedure.
Try prepare your interface migration (the whole procedure or some) by CLI commands in a text file. Then just run it on CLI script when you want to migrate.
Here is a overall scenario:
- Make a backup of your system FGT config
- Create a SD-WAN interface with a dummy interface (unused)
- In your CLI text file, for every policy ID that is using the physical WAN interface, replace this interface with SD-WAN interface name. E.g. :
config firewall policy
edit 4
set dstif sd-wan
... - Run the script on your FGT in one shot
- Delete the default gateway (usually it is the WAN interface)
- The old physical WAN interface is not used anymore, so you can encapsulate it in your SD-WAN interface, and remove the dummy interface
- Add a default gateway using the SD-WAN interface
- Test
- If it doesnt wotj then you have time to troubleshoot until the end of your maintenance window
- If time is up then execute your rollback procedure (e.g.: restore and reboot)
Hope it helps
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the Interface Migration Wizard to assist you here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/885870/interface-migration-w...
I would definitely suggest testing this during a maintenance window to ensure everything works as expected. But this should take most of the headaches and pain away when moving from legacy to SD-WAN configuration on your existing FortiGates.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OMG, how did I miss this? I confirmed this is also applicable with fortiOS 7.0.9, which is the code rev I am on. I will have to play around with this, but it looks extremely promising. Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I attempted this today and that worked fairly well. It failed once with something due to the interface being tied to OSPF, then it let me attempt again and the option was to remove it from OSPF, which I did, though when I compared the configs, the OSPF config was the same as before. I had to manually change my policies over to new SD-WAN zone from old zone (did not know if the process would do that automatically too) but all looked and tested good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
About to try this too in the next few weeks. Did you encounter any problems.
Originally was going to do it 'manually, copy all the policies etc then move the interfaces' but then found this post.
So upgraded to ver7 and going to follow the auto path.
regards,
Chris.
Created on 11-04-2024 05:57 AM Edited on 11-04-2024 05:58 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's been over a year ago and I have slept since then, but it all went well. Like mentioned, the only thing for some reason that hung it up was it did not like being tied to OSPF. Based on what I mentioned before, it must have given me the option to remove it from OSPF, then it processed, but when I looked at it again, that's where I'm a little fuzzy on if I had to actually do anything under OSPF or if it all looked well and I just then had the chore of moving my policies over to use the new zone. All in all, it was fairly painless other than the policy changes... and that was honestly, easy enough.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I totally forgot this. I'm definitely still old school.
Thanks Graham.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to do this too, however on an older code 6.4.15 which doesnt have the auto update type option.
Is it worth going to the next code revision to get this done ?
I am thinking yes, it is the sensible thing to get to the latest version and also may save a lot of hassle getting upgraded to SD WAN.
Any opinions welcome.
Chris.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Authentication Error after migration FortiGate 416 Views
- FSSO settings shared to branch devices... 787 Views
- OSPF over SDWAN dual IPsec connect... 1678 Views
- Legacy WAN migration to SD-WAN? 4361 Views
- How to estimate number of man... 765 Views
Labels
-
FortiGate
8,501 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.