If you don't create your SDWAN interfaces upfront you have to un-associate the interfaces with every policy to do so. This is a major PITA and wasn't an problem on Sonicwall. Time to step up the FG game here and make a wizard or utility or amend the OS to allow this to happen. This is very frustrating. Does anyone have any clever ideas? I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Any "free/unused" interface can be added to the the SD-WAN (virtual-wan-link) interface - It's mostly to act as a placeholder for revising the firewall policy section.
Any static route setting should still be retained after placing a WAN interface into the SD_WAN, though I would try some testing on your part.
Shame you are not on site, if all possible I would set up a backup connection to a free port on the fgt in the event that you do lose connection to it, at least someone on site could swap cables/ports. (Just make sure the authorized admin port settings are also set up on the backup wan interface. And perhaps you may want to test that connection first.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Personally, in a quick pinch (though not advisable), I likely do the same if there is like a lot of firewall policies. Though I would add one of your WAN interfaces to the SD-WAN first then edit a copy of that config:
- In the firewall policy section, replace "<wan interface name>" with "virtual-wan-link".
- Then add the other (WAN) interface(s) to the config system virtual-wan-link section. - Save the revised config (new copy) and load that into the fgt. Use the CLI to check for any errors : diagnose debug config-error-log read
And example of the SD-WAN section may look like in the CLI:
config system virtual-wan-link set status enable set load-balance-mode measured-volume-based config members edit 1 set interface "wan1" set volume-ratio 60 next edit 2 set interface "wan2" set volume-ratio 40 next next end
And an example (edited) firewall policy:
config firewall policy edit 11 set name "Access-appoved-DNS" set srcintf "internal_net"
set dstintf "virtual-wan-link"
set srcaddr "All_Internal"
set dstaddr "approved-dns" set service "DNS" set action accept next end
Again, the above is not recommended nor advised.
kubimike wrote:[...]I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks, both of my WAN interfaces are in use. I need to do this at about 9 sites remotely. If I remove policies IE (static routes) I won't be able to get to these devices anymore . This is a tricky one .
Making major config changes via code edit/upload/reboot is nerve-wracking, but we have done it multiple times. You could use a diff tool like WinMerge to compare the result and give yourself some extra confidence that you didn't change anything wrong. Obviously find and replace is your friend when it comes to finding all the right things to change. All that said..doing it without the ability to at least go on-site quickly if needed....eesh...
Quick tip
Always deploy a single SDWAN setup even if from day one you have no need for multilink NAT members. A few sml steps now, saves you from a hughe headache later.
Ken Felix
PCNSE
NSE
StrongSwan
ha yeah Im a new customer just learned that after doing a complete rollout!
Any "free/unused" interface can be added to the the SD-WAN (virtual-wan-link) interface - It's mostly to act as a placeholder for revising the firewall policy section.
Any static route setting should still be retained after placing a WAN interface into the SD_WAN, though I would try some testing on your part.
Shame you are not on site, if all possible I would set up a backup connection to a free port on the fgt in the event that you do lose connection to it, at least someone on site could swap cables/ports. (Just make sure the authorized admin port settings are also set up on the backup wan interface. And perhaps you may want to test that connection first.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Dave, I plan on running more wires to my internet switches temporarily moving everything to different ports. I can then remove WAN1 and WAN2 from all the policies etc and do what I need to do. Yeah I will need someone to put cables for me. I was hoping someone at Fortinet would see this and add the feature to the OS. Seems like a big oversight. One lesson learned as @Emnoc pointed out is start with SDWan first.
Yeah, I myself has been tasked to passively migrate about 35 fgt devices from using zone (load balancing) scheme to using the SD-WAN.
A word of caution though, at least on the 5.4 firmwares is SSL VPNs are not supported on SD-WAN.
kubimike wrote:One lesson learned as @Emnoc pointed out is start with SDWan first.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks Im on 6.0.4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.