FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.



This article describes the SD-WAN design on FortiManager 7.0 and above has changed from normalized interface and per unit mappings using ADOM Layer to Meta Fields in Device Layer.


Using Meta fields simplify the way SD-WAN is configure, by creating dynamic values in SD-WAN Templates.




This article helps administrators to understand what is needed to do, in order to update FortiManager configuration from Per Device Mappings to Meta Fields in FortiManager when it is upgraded from 6.4 to 7.0.

Keep in mind this is not done automatically and it is necessary to do it manually.




New SD-WAN Template design uses Meta Field Type: 'Device VDOM' where it is possible to configure 'Dynamic Values'.


It is possible to create one in from:

System Settings -> Advanced-> Meta Fields, select 'Create new' -> Type: 'Device VDOM'.






On SD-WAN Template, if '$' is typed, there will automatically be the option '[Create New...]'.


Option '[Create New...]' will be shown on available options like.


- Interface Name.




- Gateway.




- Neighbor IP.




- Normally the customer will only use dynamic values on Interface names and Gateways.


- To have another dynamic value that is not 'Interface Name', 'IPv4 Gateway' and 'Neighbor IP' , need to open a support ticket and explain which value is necessary to use.




In this example, there is SD-WAN Template named as 'SD-WAN Template' with 'Zone_SD_WAN' system interface name.




- Topology: three different FortiGates with three internet connections (different ports, different gateways). 



It is necessary to manually configure Meta Fields for 'Interface Name' and 'Gateway' each one, one per one.


- Meta fields created:


WAN1 (Dynamic Interface name)

WAN2 (Dynamic Interface name)

WAN3 (Dynamic Interface name)

GW_WAN1 (Dynamic gateway)

GW_WAN2 (Dynamic gateway)

GW_WAN3 (Dynamic gateway)





Interface names.


It is possible to see on 'FGT1' members of 'Zone_SD_WAN':


- WAN.

- LAN2.

- LAN3.




It is possible to see on 'FGT2' members of 'Zone_SD_WAN':


- WAN1.

- Port7.

- Port13.




It is possible to see 'FGT3' members of 'Zone_SD_WAN':


- PortA.

- Port24.

- Port32.






It is possible to see gateways for member interfaces in 'FGT1' 'Zone_SD_WAN':


- WAN:

- LAN2:

- LAN3:




It is possible to see gateways for member interfaces in 'FGT2' 'Zone_SD_WAN':


- Wan1:

- Port7:

- Port13:




It is possible to see Gateways for member interfaces in 'FGT3' 'Zone_SD_WAN':


- PortA:

- Port24:

- Port32:




In FortiGate 7.0 SD-WAN is:


# config system sdwan


In FortiGate some 6.4 OS versions SD-WAN is:


# conf system virtual-wan-lin


It is always possible to check FortiGate CLI.




To add a new interface into SD-WAN Zone, it is necessary to consider that interface is not use in any configuration like policies.




This user is trying to add WAN interface into the SD-WAN gets this error message:


> add reference fail: command(set system sdwan members.2:interface wan) detail(datasrc invalid. object: system sdwan members interface. detail: wan. solution: data cannot be used. reason: invalid value - prop[interface]: firewall policy dstintf(wan) can not be used in system sdwan members.
)SECURITY_CONSOLE: (1) [FGT1[copy] root] Commit failed: datasrc invalid. object: system sdwan members.2:interface. detail: wan. solution: datasrc invalid (reason:none)




It is possible to see on the device layer, that WAN interface is in used.




Once that policy is deleted, it is possible to install SD-WAN template.




It is possible to later, recreate policy adding SD-WAN that now includes WAN interface.


It is always possible to troubleshoot with this debug command:


# diagnose debug application securityconsole 25

# diagnose debug enabl


Reference of Special notice upgrading to 7.0:


Related link:

Troubleshooting Tip: Troubleshooting the FortiManager SD-WAN monitor