we had a pretty nice zone based basic configuration for new implementation. this got more complicated when the sd-wan interface was introduced. because it acts a little different.
from 6.2.1 it is possible to create firewall policies on the interfaces that are part of the sd-wan interface.
it is also possible to add these interfaces to zone, so again it should be possible to create all firewall policies based on zones. which in my opinion makes way more sense, specially if you share WAN (public) and VPN connectivity (private) on one sd-wan interface.
anyone been working on this? issues or working fine?
it did some basic testing with vpn interfaces and ended up with being unable to run diagnose debug ike ... at some point getting this error
could not connect to virtual server on /tmp/iked_recv_socket
I'm 100% sure you can't put a sdwan virtual interface into a zone. Only real-physical or virtual-802.1q interfaces. You have a 6.2.x fortiOS with a "virtual-wan-link" in a system zone, than share the cfg.
And another tip, you can not put a loop interfaces into a zone either.
yeah im aware you cant put the sd-wan interface in a zone. i was looking to put the interfaces which are part of the sd-wan interface in a zone
so like this
config system virtual-wan-link
set status enable
set interface "wan1"
set interface "wan2"
set interface "vpn-p1-wan1"
set interface "vpn-p1-wan2"
config system zone
set interface "vpn-p1-wan1" "vpn-p1-wan2"
set interface "wan1" "wan2"
this actually is configuration wise possible and seems to work fine for wan, only for vpn it doesnt behave nicely.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.