Technical Tip: How to use the VPN manager default zones in policies
Description
This article describes that, by default, VPN Manager creates three special ADOM zones for each IPsec VPN community.
This article describes how to use the VPN manager default zones in policies.
This article describes how to use the VPN manager default zones in policies.
Name format is:
vpnmgr_<CommunityName>_hub2spoke.
vpnmgr_<CommunityName>_mesh.
vpnmgr_<CommunityName>_spoke2hub.
For example, these three Communities will generate the following Default Zones.
vpnmgr_<CommunityName>_mesh.
vpnmgr_<CommunityName>_spoke2hub.
For example, these three Communities will generate the following Default Zones.
- These zones are to be used in the security policies for the VPN gateways and cannot be manually edited or mapped.
- During the installation process, VPN manager is dynamically maps the tunnel interfaces of each gateway as members of the corresponding default zones.
- If a zone used in a policy does not apply to the gateway type and/or community membership, the respective policy is skipped during the installation.
- This approach allows a single policy package to be installed to multiple managed FortiGates, and only the policies relevant for the respective gateway to be installed.
- However, in another use case (separate policy package for each gateway), using the wrong zone in a policy may cause FortiManager to give a validation error during the installation.
In this example, the '…spoke2hub' zone is incorrectly used in policy id 6 of a Policy Package, meant to be installed only to the Hub gateway.
As a result, because of policy 6, it gives a validation error:
Scope
FortiManager.
Solution
The examples below demonstrate how to use the Default Zones in separate Policy Packages (one for each type of managed gateway).
- Site to Site (Mesh).
In 'Site to Site' community, only the respective 'vpnmgr_<CommunityName>_mesh' zone should be used.
- Hub and Spoke.
In 'Hub and Spoke' community, only the respective hub2spoke and spoke2hub zones are used:
- 'vpnmgr_<CommunityName>_hub2spoke' is to the policies of the Hub.
- 'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
- Remote Access.
In 'Remote Access' (Dial-Up) community, similar to 'Hub and Spoke', only the respective hub2spoke and spoke2hub zones are installed:
- 'vpnmgr_<CommunityName>_hub2spoke' is applied to the policies of the hub.
- 'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
In all three examples, using zones not relevant to the gateway type, or for an incorrect community, will cause FortiManager to give a validation error during install.