Configuring firewall policies for SD-WAN
After you create an SD-WAN interface, FortiGate adds a virtual interface for SD-WAN to the interface list that can be used to create firewall policies.
You must configure a policy that allows traffic from your organization's internal network to the SD-WAN interface (virtual-wan-link
in the CLI). You do not need to configure policies for each individual SD-WAN member interface because policies configured with the SD-WAN interface apply to all SD-WAN interface members.
To create a firewall policy for SD-WAN:
- Go to Policy & Objects > Firewall Policy.
- Click Create New. The New Policy page opens.
- Configure the following:
Name
Enter a name for the policy.
Incoming Interface
internal
Outgoing Interface
SD-WAN
Source
all
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
Firewall / Network Options
Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.
Security Profiles
Apply profiles as required.
Logging Options
Enable Log Allowed Traffic and select All Sessions. This allows you to verify results later.
- Enable the policy, then click OK.