In SD-WAN service chaining, using custom topology policy, does the fw keyword really do anything different than netsvc1, netsvc2, etc.? The firewall is presumably an external, possibly third-party, device, not configured by SD-WAN, correct? And SD-WAN simply redirects the packet to that device's IP address? 

Also, one Cisco document suggests that, when creating such policies bi-directionally, the edge router offering the firewall service needs to advertise two service IPs, one for each side of the firewall (inside and outside, for example). The document says to use netsvc1 for one of the addresses, since fw can't be used for two different IPs. If this works, then that seems to imply that using the netsvcX keyword works fine for firewalls, making the "fw" keyword unnecessary.

Also, is that actually true that two services would have to be advertised? For example, if traffic between two sites Site1 and Site2 is being directed through the firewall, does each site have to send traffic to a different firewall IP, to keep the sites on two "sides" (or zones) of the firewall?