Created on 04-06-2022 10:42 PM Edited on 05-11-2023 07:18 AM By Jean-Philippe_P
Description
This article describes the SD-WAN design on FortiManager 7.0 and above has changed from normalized interface and per unit mappings using ADOM Layer to Meta Fields in Device Layer.
Using Meta fields simplify the way SD-WAN is configure, by creating dynamic values in SD-WAN Templates.
Scope
This article helps administrators to understand what is needed to do, in order to update FortiManager configuration from Per Device Mappings to Meta Fields in FortiManager when it is upgraded from 6.4 to 7.0.
Keep in mind this is not done automatically and it is necessary to do it manually.
Solution
New SD-WAN Template design uses Meta Field Type: 'Device VDOM' where it is possible to configure 'Dynamic Values'.
It is possible to create one in from:
System Settings -> Advanced-> Meta Fields, select 'Create new' -> Type: 'Device VDOM'.
Or:
On SD-WAN Template, if '$' is typed, there will automatically be the option '[Create New...]'.
Option '[Create New...]' will be shown on available options like.
- Interface Name.
- Gateway.
- Neighbor IP.
- Normally the customer will only use dynamic values on Interface names and Gateways.
- To have another dynamic value that is not 'Interface Name', 'IPv4 Gateway' and 'Neighbor IP' , need to open a support ticket and explain which value is necessary to use.
Example.
In this example, there is SD-WAN Template named as 'SD-WAN Template' with 'Zone_SD_WAN' system interface name.
- Topology: three different FortiGates with three internet connections (different ports, different gateways).
It is necessary to manually configure Meta Fields for 'Interface Name' and 'Gateway' each one, one per one.
- Meta fields created:
WAN1 (Dynamic Interface name)
WAN2 (Dynamic Interface name)
WAN3 (Dynamic Interface name)
GW_WAN1 (Dynamic gateway)
GW_WAN2 (Dynamic gateway)
GW_WAN3 (Dynamic gateway)
Interface names.
It is possible to see on 'FGT1' members of 'Zone_SD_WAN':
- WAN.
- LAN2.
- LAN3.
It is possible to see on 'FGT2' members of 'Zone_SD_WAN':
- WAN1.
- Port7.
- Port13.
It is possible to see 'FGT3' members of 'Zone_SD_WAN':
- PortA.
- Port24.
- Port32.
Gateways.
It is possible to see gateways for member interfaces in 'FGT1' 'Zone_SD_WAN':
- WAN: 192.168.1.1.
- LAN2: 0.0.0.0.
- LAN3: 78.4.5.6.
It is possible to see gateways for member interfaces in 'FGT2' 'Zone_SD_WAN':
- Wan1: 45.45.45.6.
- Port7: 78.95.63.25.
- Port13: 0.0.0.0.
It is possible to see Gateways for member interfaces in 'FGT3' 'Zone_SD_WAN':
- PortA: 172.16.1.35.
- Port24: 189.15.6.6.
- Port32: 8.9.6.56.
In FortiGate 7.0 SD-WAN is:
config system sdwan
In FortiGate some 6.4 OS versions SD-WAN is:
conf system virtual-wan-lin
It is always possible to check FortiGate CLI.
Bonus.
To add a new interface into SD-WAN Zone, it is necessary to consider that interface is not used in any configuration like policies.
Example.
This user is trying to add a WAN interface to the SD-WAN and gets this error message:
> add reference fail: command(set system sdwan members.2:interface wan) detail(datasrc invalid. object: system sdwan members interface. detail: wan. solution: data cannot be used. reason: invalid value - prop[interface]: firewall policy dstintf(wan) can not be used in system sdwan members.
)SECURITY_CONSOLE: (1) [FGT1[copy] root] Commit failed: datasrc invalid. object: system sdwan members.2:interface. detail: wan. solution: datasrc invalid (reason:none)
It is possible to see on the device layer, that the WAN interface is in use.
Once that policy is deleted, it is possible to install the SD-WAN template.
It is possible to later, recreate policy adding SD-WAN that now includes the WAN interface.
It is always possible to troubleshoot with this debug command:
diagnose debug application securityconsole 255
diagnose debug enable
Reference of Special notice upgrading to 7.0:
https://docs.fortinet.com/document/fortimanager/7.0.3/release-notes/519207/special-notices
Related article:
Troubleshooting Tip: Troubleshooting the FortiManager SD-WAN monitor
Technical Tip: Automating migration of SD-WAN configuration with FortiManager tool
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.