Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiManager 6.4.0 New Features
    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.7
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

    New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

    FortiManager 6.4.1 and later supports SD-WAN zones and the virtual-wan-link option available in FortiOS 6.4.1 and later. Each SD-WAN interface member is assigned to a zone. The default zone is named virtual-wan-link.

    With the implementation of SD-WAN zones, you can no longer select SD-WAN interface members in policies. Instead you must select zones in policies.

    Note

    After upgrading to FortiManager 6.4.1, an SD-WAN zone named upg-zone-<interface-name> is automatically created for each interface member, and affected policies are automatically updated.

    When central management is enabled for SD-WAN in FortiManager, a normalized interface is automatically created when you create an SD-WAN zone.

    When you import an SD-WAN zone to FortiManager, FortiManager automatically creates a normalized interface and adds per-device mappings.

    This topic includes the following sections:

    Per-device management

    When per-device management is enabled in FortiManager, the default SD-WAN zone is named virtual-wan-link.

    You can create an SD-WAN interface member and an SD-WAN zone:

    To create an SD-WAN zone:
    1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

      The SD-WAN configurations are displayed in the content pane.

    2. Double-click a configuration to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Zone.

      The Create New SD-WAN Zone dialog box is displayed.

    4. In the Name box, type a name for the zone.
    5. Click the Interface Members box.

      The list of interfaces is displayed.

    6. Select the interfaces to be members of the zone, and click OK.
    7. Click OK to finish creating the zone.
    To create an SD-WAN interface member:
    1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

      The SD-WAN configurations are displayed in the content pane.

    2. Double-click a configuration to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Member.

      The Create New SD-WAN Interface Member dialog box is displayed.

    4. Click the Interface Members box, and select an interface.
    5. In the SD-WAN Zone box, select a zone.
    6. Click OK.

      The interface is added to the zone.

    Central management

    When central management is enabled, the default SD-WAN zone is named virtual-wan-link.

    You can create an SD-WAN member and an SD-WAN zone:

    To create an SD-WAN zone:
    1. In an ADOM with central management enabled, go to Device Manager > SD-WAN > SD-WAN Templates.

      The templates are displayed in the content screen.

    2. Double-click a template to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Zone.
    4. In the Name box, type a name for the zone, such as vpn-zone.
    5. Click the Interface Members box.

      The list of interfaces is displayed.

    6. Select the interfaces to be members of the zone, and click OK.
    7. Click OK to finish creating the zone.

      In the following example, the zone named vpn-zone is created in addition to the default zone named virtual-wan-link.

    To create an SD-WAN interface member:
    1. In an ADOM with central management enabled, go to Device Manager > SD-WAN.

      The templates are displayed in the content screen.

    2. Double-click a template to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Member.

      The Create New SD-WAN Interface Member dialog box is displayed.

    4. Create a new SD-WAN interface:
      1. In the Interface Member list, click the + icon.

        The Create New WAN Interface dialog box is displayed.

      2. In the Name box, type a name for the interface.
      3. In the Normalized Interface, select an interface.
      4. Complete the remaining options, and click OK.

        The SD-WAN interface is created.

    5. In the SD-WAN Zone box, select the zone.
    6. Click OK.

      The interface is added to the zone.

    Zones and interface members

    You can select SD-WAN zones as source and destination interfaces in firewall policies. You cannot select interface members of SD-WAN zones in firewall policies.

    The SD-WAN interface (virtual-wan-link) used in policies is replaced by SD-WAN zones.

    To view zones and interface members:
    1. Go to Policy & Objects > Object Configuration > Normalized Interface.

      The Normalized Interface column displays the name of the interface, and the Mapped Interface/Zone column displays the name of the zone.

    Zones in firewall policies

    To use a zone in a firewall policy:
    1. Go to Policy & Objects > Policy Packages > Firewall Policy.
    2. In the content pane, click Create New.

      The Create New Firewall Policy pane is displayed.

    3. Click the Incoming Interface box, and select a zone.

    4. Click the Outgoing Interface box, and select a zone.
    5. Set the remaining options, and click OK.

    SD-WAN interface members after upgrade

    Before FortiManager 6.4.1, you could use SD-WAN interface members directly in a policy. After upgrading to FortiManager 6.4.1, SD-WAN interface members are automatically upgraded to zones. Upgraded SD-WAN members are named upg-zone-<interface-name>, and they replace interfaces in policies.

    To view SD-WAN members after upgrade:
    1. Go to Device Manager > SD-WAN > SD-WAN Templates.
    2. Double-click a template to open it for editing.

      The upgraded SD-WAN members are displayed.

    To view upgraded SD-WAN members in policies:
    1. Go to Policy & Objects > Policy Packages > Firewall Policy.

      The upgraded SD-WAN members are displayed.

    Previous
    Next

    New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

    New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

    FortiManager 6.4.1 and later supports SD-WAN zones and the virtual-wan-link option available in FortiOS 6.4.1 and later. Each SD-WAN interface member is assigned to a zone. The default zone is named virtual-wan-link.

    With the implementation of SD-WAN zones, you can no longer select SD-WAN interface members in policies. Instead you must select zones in policies.

    Note

    After upgrading to FortiManager 6.4.1, an SD-WAN zone named upg-zone-<interface-name> is automatically created for each interface member, and affected policies are automatically updated.

    When central management is enabled for SD-WAN in FortiManager, a normalized interface is automatically created when you create an SD-WAN zone.

    When you import an SD-WAN zone to FortiManager, FortiManager automatically creates a normalized interface and adds per-device mappings.

    This topic includes the following sections:

    Per-device management

    When per-device management is enabled in FortiManager, the default SD-WAN zone is named virtual-wan-link.

    You can create an SD-WAN interface member and an SD-WAN zone:

    To create an SD-WAN zone:
    1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

      The SD-WAN configurations are displayed in the content pane.

    2. Double-click a configuration to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Zone.

      The Create New SD-WAN Zone dialog box is displayed.

    4. In the Name box, type a name for the zone.
    5. Click the Interface Members box.

      The list of interfaces is displayed.

    6. Select the interfaces to be members of the zone, and click OK.
    7. Click OK to finish creating the zone.
    To create an SD-WAN interface member:
    1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

      The SD-WAN configurations are displayed in the content pane.

    2. Double-click a configuration to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Member.

      The Create New SD-WAN Interface Member dialog box is displayed.

    4. Click the Interface Members box, and select an interface.
    5. In the SD-WAN Zone box, select a zone.
    6. Click OK.

      The interface is added to the zone.

    Central management

    When central management is enabled, the default SD-WAN zone is named virtual-wan-link.

    You can create an SD-WAN member and an SD-WAN zone:

    To create an SD-WAN zone:
    1. In an ADOM with central management enabled, go to Device Manager > SD-WAN > SD-WAN Templates.

      The templates are displayed in the content screen.

    2. Double-click a template to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Zone.
    4. In the Name box, type a name for the zone, such as vpn-zone.
    5. Click the Interface Members box.

      The list of interfaces is displayed.

    6. Select the interfaces to be members of the zone, and click OK.
    7. Click OK to finish creating the zone.

      In the following example, the zone named vpn-zone is created in addition to the default zone named virtual-wan-link.

    To create an SD-WAN interface member:
    1. In an ADOM with central management enabled, go to Device Manager > SD-WAN.

      The templates are displayed in the content screen.

    2. Double-click a template to open it for editing, or click Create New.

      The SD-WAN settings are displayed.

    3. In the Interface Members section, click Create New > SD-WAN Member.

      The Create New SD-WAN Interface Member dialog box is displayed.

    4. Create a new SD-WAN interface:
      1. In the Interface Member list, click the + icon.

        The Create New WAN Interface dialog box is displayed.

      2. In the Name box, type a name for the interface.
      3. In the Normalized Interface, select an interface.
      4. Complete the remaining options, and click OK.

        The SD-WAN interface is created.

    5. In the SD-WAN Zone box, select the zone.
    6. Click OK.

      The interface is added to the zone.

    Zones and interface members

    You can select SD-WAN zones as source and destination interfaces in firewall policies. You cannot select interface members of SD-WAN zones in firewall policies.

    The SD-WAN interface (virtual-wan-link) used in policies is replaced by SD-WAN zones.

    To view zones and interface members:
    1. Go to Policy & Objects > Object Configuration > Normalized Interface.

      The Normalized Interface column displays the name of the interface, and the Mapped Interface/Zone column displays the name of the zone.

    Zones in firewall policies

    To use a zone in a firewall policy:
    1. Go to Policy & Objects > Policy Packages > Firewall Policy.
    2. In the content pane, click Create New.

      The Create New Firewall Policy pane is displayed.

    3. Click the Incoming Interface box, and select a zone.

    4. Click the Outgoing Interface box, and select a zone.
    5. Set the remaining options, and click OK.

    SD-WAN interface members after upgrade

    Before FortiManager 6.4.1, you could use SD-WAN interface members directly in a policy. After upgrading to FortiManager 6.4.1, SD-WAN interface members are automatically upgraded to zones. Upgraded SD-WAN members are named upg-zone-<interface-name>, and they replace interfaces in policies.

    To view SD-WAN members after upgrade:
    1. Go to Device Manager > SD-WAN > SD-WAN Templates.
    2. Double-click a template to open it for editing.

      The upgraded SD-WAN members are displayed.

    To view upgraded SD-WAN members in policies:
    1. Go to Policy & Objects > Policy Packages > Firewall Policy.

      The upgraded SD-WAN members are displayed.

    Previous
    Next