Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Valued Contributor

SD-WAN and zones

we had a pretty nice zone based basic configuration for new implementation. this got more complicated when the sd-wan interface was introduced. because it acts a little different.


from 6.2.1 it is possible to create firewall policies on the interfaces that are part of the sd-wan interface.


it is also possible to add these interfaces to zone, so again it should be possible to create all firewall policies based on zones. which in my opinion makes way more sense, specially if you share WAN (public) and VPN connectivity (private) on one sd-wan interface.


anyone been working on this? issues or working fine?


it did some basic testing with vpn interfaces and ended up with being unable to run diagnose debug ike ... at some point getting this error


could not connect to virtual server on /tmp/iked_recv_socket

Esteemed Contributor III

I'm 100% sure you can't put a sdwan virtual interface into a zone. Only real-physical or virtual-802.1q interfaces. You have a 6.2.x fortiOS with a "virtual-wan-link" in a  system zone, than share the cfg.


And another tip, you can not put a loop interfaces into a zone either.


Ken Felix





PCNSE NSE StrongSwan
Valued Contributor

yeah im aware you cant put the sd-wan interface in a zone. i was looking to put the interfaces which are part of the sd-wan interface in a zone


so like this


config system virtual-wan-link     set status enable     config members         edit 1             set interface "wan1"         next         edit 2             set interface "wan2"         next         edit 3             set interface "vpn-p1-wan1"         next         edit 4             set interface "vpn-p1-wan2"         next     end end config system zone     edit "zone-vpn"         set interface "vpn-p1-wan1" "vpn-p1-wan2"     next     edit "zone-wan"         set interface "wan1" "wan2"     next end


this actually is configuration wise possible and seems to work fine for wan, only for vpn it doesnt behave nicely.


Hi all,


Do you have extra information about "could not connect to virtual server on /tmp/iked_recv_socket" error?


I'm getting this error when I try to execute some commands related to IPSec VPN Tunnels


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors