Skip to main content
marconet-22
marconet-22
Explorer II
March 5, 2026
Solved

Can't Migrate tunnel(s) IPSec to Zone

  • March 5, 2026
  • 3 replies
  • 419 views

Hi

I need to migrate all IPSec Tunnel to one zone to create a single policy.

Now i can't migrate tunnel because "Integrate Interface" is gray and it can't select it.

 

Best answer by Toshi_Esumi

Unless your FortiOS is very old, you can create an empty zone first and use it in the new set (duplicated from existing ones?) whatever you want.
Then, you have to delete all policies bound to individual IPsec interfaces, them move them into the zone.
You can try with one IPsec first to test it. and move the rest one by one if you want. The bottom line is any refferencing policies have to be removed first.


Toshi

3 replies

kaman
Staff
kaman
Staff
March 5, 2026

Hi marconet-22,

This feature only supports physical interfaces. It is not possible to integrate virtual interfaces such as VLAN and tunnel interfaces.

Note: Migration is not supported if the physical or VLAN interface is used in a tunnel configuration (IPsec or SSL VPN).

Please refer to the document below for more information:


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Moving-an-Interface-that-has-existing-references/ta-p/301238


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

marconet-22
marconet-22Author
Explorer II
March 5, 2026

Hi Aman

is not possibile create a single zone to all tunnels?

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
March 5, 2026

Unless your FortiOS is very old, you can create an empty zone first and use it in the new set (duplicated from existing ones?) whatever you want.
Then, you have to delete all policies bound to individual IPsec interfaces, them move them into the zone.
You can try with one IPsec first to test it. and move the rest one by one if you want. The bottom line is any refferencing policies have to be removed first.


Toshi

marconet-22
marconet-22Author
Explorer II
March 6, 2026

Hi Toshi

I tested it and it works. I created test tunnel without policy or static route and i can add it to zone. Thank you

 

kaman
Staff
kaman
Staff
March 6, 2026

Hi Marconet-22,

You can also enable Multiple Interface Policies under System → Feature in the GUI. After enabling it, you can add the IPsec tunnels in the interface under firewall policy.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-multiple-interfaces-on-a-firewall/ta-p/193506


Regards,
Aman

marconet-22
marconet-22Author
Explorer II
March 6, 2026

Hi Aman

this is interesting, it's good alternative way.

Thank you

Terms & ConditionsAccessibility statement