- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Love the product . Found a huge headache
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Love the product . Found a huge headache
If you don't create your SDWAN interfaces upfront you have to un-associate the interfaces with every policy to do so. This is a major PITA and wasn't an problem on Sonicwall. Time to step up the FG game here and make a wizard or utility or amend the OS to allow this to happen. This is very frustrating. Does anyone have any clever ideas? I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any "free/unused" interface can be added to the the SD-WAN (virtual-wan-link) interface - It's mostly to act as a placeholder for revising the firewall policy section.
Any static route setting should still be retained after placing a WAN interface into the SD_WAN, though I would try some testing on your part.
Shame you are not on site, if all possible I would set up a backup connection to a free port on the fgt in the event that you do lose connection to it, at least someone on site could swap cables/ports. (Just make sure the authorized admin port settings are also set up on the backup wan interface. And perhaps you may want to test that connection first.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, in a quick pinch (though not advisable), I likely do the same if there is like a lot of firewall policies. Though I would add one of your WAN interfaces to the SD-WAN first then edit a copy of that config:
- In the firewall policy section, replace "<wan interface name>" with "virtual-wan-link".
- Then add the other (WAN) interface(s) to the config system virtual-wan-link section. - Save the revised config (new copy) and load that into the fgt. Use the CLI to check for any errors : diagnose debug config-error-log read
And example of the SD-WAN section may look like in the CLI:
config system virtual-wan-link set status enable set load-balance-mode measured-volume-based config members edit 1 set interface "wan1" set volume-ratio 60 next edit 2 set interface "wan2" set volume-ratio 40 next next end
And an example (edited) firewall policy:
config firewall policy edit 11 set name "Access-appoved-DNS" set srcintf "internal_net"
set dstintf "virtual-wan-link"
set srcaddr "All_Internal"
set dstaddr "approved-dns" set service "DNS" set action accept next end
Again, the above is not recommended nor advised.
kubimike wrote:[...]I was going to download the config edit it and re-upload it. However that sounds like I might open a can of worms. I called support, no known work-arounds.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, both of my WAN interfaces are in use. I need to do this at about 9 sites remotely. If I remove policies IE (static routes) I won't be able to get to these devices anymore . This is a tricky one .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Making major config changes via code edit/upload/reboot is nerve-wracking, but we have done it multiple times. You could use a diff tool like WinMerge to compare the result and give yourself some extra confidence that you didn't change anything wrong. Obviously find and replace is your friend when it comes to finding all the right things to change. All that said..doing it without the ability to at least go on-site quickly if needed....eesh...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick tip
Always deploy a single SDWAN setup even if from day one you have no need for multilink NAT members. A few sml steps now, saves you from a hughe headache later.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ha yeah Im a new customer just learned that after doing a complete rollout!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any "free/unused" interface can be added to the the SD-WAN (virtual-wan-link) interface - It's mostly to act as a placeholder for revising the firewall policy section.
Any static route setting should still be retained after placing a WAN interface into the SD_WAN, though I would try some testing on your part.
Shame you are not on site, if all possible I would set up a backup connection to a free port on the fgt in the event that you do lose connection to it, at least someone on site could swap cables/ports. (Just make sure the authorized admin port settings are also set up on the backup wan interface. And perhaps you may want to test that connection first.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave, I plan on running more wires to my internet switches temporarily moving everything to different ports. I can then remove WAN1 and WAN2 from all the policies etc and do what I need to do. Yeah I will need someone to put cables for me. I was hoping someone at Fortinet would see this and add the feature to the OS. Seems like a big oversight. One lesson learned as @Emnoc pointed out is start with SDWan first.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I myself has been tasked to passively migrate about 35 fgt devices from using zone (load balancing) scheme to using the SD-WAN.
A word of caution though, at least on the 5.4 firmwares is SSL VPNs are not supported on SD-WAN.
kubimike wrote:One lesson learned as @Emnoc pointed out is start with SDWan first.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Im on 6.0.4
Related Posts
- Can we use a AWS Community... 285 Views
- Inquiries about how to operate the... 1115 Views
- Forticloud Key Registration Requirement 551 Views
- Bug notice - 7.4.1 - Firewall... 340 Views
- FortiClient VPN codes -6005 -5001 -5002... 6333 Views
Labels
-
FortiGate
6,510 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.