Skip to main content
skogaren
skogaren
New Member
December 7, 2019
Solved

Add interface in existing firewall ruleset

  • December 7, 2019
  • 1 reply
  • 7279 views

Hello,

Currently our Fortigate 500E has many vlan interfaces.

The vlan interfaces are divided into zones in the firewall ruleset, for example:

ZONE-CLIENT - vlan interface/subnet where we have the internal PC clients.

ZONE-SERVER - vlan interface/subnet where we have the internal servers.

Here's an example of firewall rule and who it looks in the cli of the Fortigate.

SOURCE 192.168.1.0/24

DESTINATION 192.168.10.100,192.168.10.101

PROTOCOL/PORT TCP/80

---

config firewall policy edit 25 set name "CLIENT HTTP TRAFFIC" set srcintf "ZONE_CLIENT" set dstintf "ZONE_SERVER" set srcaddr "ADDR_NET_192.168.1.0" set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101" set action accept set schedule "always" set service "HTTP" next end

---

We are in the process of migrating routing from the Fortigate firewall to a Cisco core switch. The Fortigate will still be used as a firewall and the vlan interface with corresponding ip ranges will be created in the new core switch.

 

We have created a vlan interface on the core switch and Fortinet to use as a link-net between the core switch and firewall.

 

Can I add the new vlan interface as the incoming interface and can it co-exist with the same zone?

 

Like this?

---

config firewall policy edit 25 set name "CLIENT HTTP TRAFFIC" set srcintf "ZONE_CLIENT,INTERFACE-LINKNET" set dstintf "ZONE_SERVER" set srcaddr "ADDR_NET_192.168.1.0" set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101" set action accept set schedule "always" set service "HTTP" next end

---

Or do I have to create a zone for that link-net and build a copy of the existing firewall ruleset?

 

Kind regards,

 

    Best answer by Toshi_Esumi

    You said to create a new VLAN interface for the new policies. And it's not in the current zone. So it's up to the Cisco L3 switch routing which interface the client traffic is routed toward. It can't be on the both zone and the interface at the same time. So it would hit only one side of policy sets at a time.

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 7, 2019

    You can try it to see the effect. It would break "Interface Pair View" in policy GUI then show them as "By Sequence". You can always go back if you didn't like it.

    To me, creating a new policy with the new interface is much easier in the next step: just "del 25" in the policies.

    skogaren
    skogarenAuthor
    New Member
    December 8, 2019

    OK, I agree that it is better to create a new policy. I am new at Fortigate but I think that I would first clone the existing rule and then edit it and replace the zone with the interface?

     

    There is about 100 policies that need to be edited so any tips is gladly appreciate.

     

    Kind regards,

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 8, 2019

    If you have that many policies to migrate to the new circuit, I don't recommend using GUI. Just dump the policies into a text editor, replace the zone name with the new interface name, then change all "edit N" to "edit 0". Then paste them back into "config firewall policy".

    Terms & ConditionsAccessibility statement