Hello everyone, just want to clear a small doubet that I could not find anywhere.
Lets say I create an aggregate interface and have 10 Vlan interfaces under that aggregate interface.
When on the IPV4 policy if I select the Source or Destination interface as the aggregate interface that is a shortcut to selecting all the VLAN interfaces under that aggregate, correct?
Many Thanks
Yes that's another gotcha, any interface bound with policies CAN NOT be added to a system zone. When going zones, it's petty straightforward but you have to have a design set in place b4 building.
My strong experience is w/juniperSRX and ASA and to a less degree PaloAlto and all 3 of these are ZB-FW to some degree with cisco calling a zone a interface name.
I found people that are SRX or PaloAlto engineers , seems to implement ZB firewall concepts with great success.
e.g
ZONE_NAMEs == LAN1 LAN2 LAN3 DMZ1 ENTRUST
They do much better at zone implementation on a Fortigate Firewall.
Now back to the sub-interface and group, you can do what I've done in the past if you you like the cli ( I'm a cli guru ;) )
1> have a fwpolicy that's de-activate that you clone for future, just clone from that fwpolicy and modify the SRC/DST-addres & SERVICE/etc....
This keeps you from having to plug in X amount of interfaces everytime you add fwpolices for that group of interfaces. Always clone from that same fwpolicy-id overtime you need to reference the same group of interfaces.
2> this is NOT a zone configuration concept, but just a simple means to rapidly deploying repetitious policies that have the same dst_interfaces.
3> keep in mind other gotchas, once you apply a "interface" into a zone it can not be part of another zone. That should be obvious but a lot of security_engineers try to use interface across zones & that will not work.
4> if you need a zone for the 10+ sub-interface in your example, you could easily script this and by copying all policies down and the craft the new zone with no interfaces & upload this thru the webgui script execution
Than you delete all old fwpolicies and recreate them with the INTERFACE & now the zone name and b4 you copy back in the policies you have to add the interface to the ZONE
e.g
config system zone
edit "ZONA1_LAG_MEMBERS"
set interface "some dummy interface name"
next
end
config firewall policy
( paste in the policies referencing from the earlier)
end
Now unbind the fwpolicy per interface add apply the interface to the ZONE
NOTE: you can't apply fwpolicy with a empty zone interfaces, but you can craft a zone with no interfaces defined.
Also you can craft a fwpolicy with a dummy interface in the "ZONE" and then replace it with the sub.interfaces after you unbind the old fwpolicies
This is strange behavior but FortiOS allows a policy that references a system zone and later you remove the interface the fwpolicy will stay in the cfg
e.g
config firewall policy
edit 18929
set uuid 6fd5305c-3425-51e7-0187-9624f16cbd52
set srcintf "port1"
set dstintf "ZONA1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comment " empty zone no members interfaces "
next
end
FGTWXNOLA (root) #
config system zone
edit "ZONA1"
unset interface port1"
end
FGTWXNOLA (root) # show system zone ZONA1
config system zone
edit "ZONA1"
next
end
That would be how I would approach it.
Ken
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
