AnsweredLove the product . Found a huge headache

Author
kubimike
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/29 14:02:41
  • Status: offline
2019/09/12 06:20:55 (permalink)
0

Love the product . Found a huge headache

If you don't create your SDWAN interfaces upfront you have to un-associate the interfaces with every policy to do so. This is a major PITA and wasn't an problem on Sonicwall. Time to step up the FG game here and make a wizard or utility or amend the OS to allow this to happen. This is very frustrating. Does anyone have any clever ideas? I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds. 
#1
Dave Hall
Expert Member
  • Total Posts : 1475
  • Scores: 163
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 07:13:43 (permalink)
0
Personally, in a quick pinch (though not advisable), I likely do the same if there is like a lot of firewall policies.  Though I would add one of your WAN interfaces to the SD-WAN first then edit a copy of that config:
 
- In the firewall policy section, replace  "<wan interface name>" with  "virtual-wan-link".
- Then add the other (WAN) interface(s) to the config system virtual-wan-link section.
- Save the revised config (new copy) and load that into the fgt.  Use the CLI to check for any errors : diagnose debug config-error-log read
 
And example of the SD-WAN section may look like in the CLI:
 
config system virtual-wan-link
    set status enable
    set load-balance-mode measured-volume-based
    config members
        edit 1
            set interface "wan1"
            set volume-ratio 60
        next
        edit 2
            set interface "wan2"
            set volume-ratio 40
        next
        next
    end


And an example (edited) firewall policy:
 
config firewall policy
    edit 11
        set name "Access-appoved-DNS"
        set srcintf "internal_net"
        set dstintf "virtual-wan-link"
        set srcaddr "All_Internal"
        set dstaddr "approved-dns"
        set service "DNS"
        set action accept
    next

end


Again, the above is not recommended nor advised.
 
kubimike
[...]I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds. 




NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#2
kubimike
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/29 14:02:41
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 07:18:59 (permalink)
0
Thanks, both of my WAN interfaces are in use. I need to do this at about 9 sites remotely. If I remove policies IE (static routes) I won't be able to get to these devices anymore . This is a tricky one . 
#3
lobstercreed
Gold Member
  • Total Posts : 132
  • Scores: 21
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 07:59:07 (permalink)
0
Making major config changes via code edit/upload/reboot is nerve-wracking, but we have done it multiple times.  You could use a diff tool like WinMerge to compare the result and give yourself some extra confidence that you didn't change anything wrong.  Obviously find and replace is your friend when it comes to finding all the right things to change.  All that said..doing it without the ability to at least go on-site quickly if needed....eesh...
#4
emnoc
Expert Member
  • Total Posts : 5239
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Love the product . Found a huge headache 2019/09/12 08:17:07 (permalink)
0
Quick tip
 
Always deploy a single SDWAN setup even if from day one you have no need for multilink NAT members. A few sml steps now, saves you from a hughe headache later.
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
kubimike
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/29 14:02:41
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 08:22:29 (permalink)
0
ha yeah Im a new customer just learned that after doing a complete rollout!
#6
Dave Hall
Expert Member
  • Total Posts : 1475
  • Scores: 163
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 09:10:35 (permalink) ☼ Best Answerby kubimike 2019/09/12 12:06:26
0
Any "free/unused" interface can be added to the the SD-WAN (virtual-wan-link) interface - It's mostly to act as a placeholder for revising the firewall policy section. 
 
Any static route setting should still be retained after placing a WAN interface into the SD_WAN, though I would try some testing on your part. 
 
Shame you are not on site, if all possible I would set up a backup connection to a free port on the fgt in the event that you do lose connection to it, at least someone on site could swap cables/ports.  (Just make sure the authorized admin port settings are also set up on the backup wan interface. And perhaps you may want to test that connection first.)
 
 

NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#7
kubimike
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/29 14:02:41
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 12:06:18 (permalink)
0
Hi Dave, I plan on running more wires to my internet switches temporarily moving everything to different ports. I can then remove WAN1 and WAN2 from all the policies etc and do what I need to do. Yeah I will need someone to put cables for me. I was hoping someone at Fortinet would see this and add the feature to the OS. Seems like a big oversight. One lesson learned as @Emnoc pointed out is start with SDWan first. 
#8
Dave Hall
Expert Member
  • Total Posts : 1475
  • Scores: 163
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 13:30:59 (permalink)
0
Yeah, I myself has been tasked to passively migrate about 35 fgt devices from using zone (load balancing) scheme to using the SD-WAN. 
 
A word of caution though, at least on the 5.4 firmwares is SSL VPNs are not supported on SD-WAN.
 
kubimike
One lesson learned as @Emnoc pointed out is start with SDWan first. 




NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#9
kubimike
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/29 14:02:41
  • Status: offline
Re: Love the product . Found a huge headache 2019/09/12 14:00:55 (permalink)
0
Thanks Im on 6.0.4
#10
Jump to:
© 2019 APG vNext Commercial Version 5.5