Skip to main content
mortirolo
mortirolo
New Member
April 26, 2017
Question

Cannot create Zone with same name as Physical port

  • April 26, 2017
  • 1 reply
  • 7865 views

I would like to create a zone called "dmz", my FG100D will not let me as it conflicts with a "duplicate" name dmz under physical ports. I changed the Switch mode to physical. Is this possible to rename the physical port to stop this Zone naming conflict.

 

100D # conf vdom 100D (vdom) # edit V1 current vf=V1:2 100D (V1) # config system zone 100D (zone) # edit name    Zone name. intranet 100D (zone) # edit dmz the name "dmz" conflicts with a system interface of the same name node_check_object fail! for name dmz value parse error before 'dmz' Command fail. Return code -553 100D (zone) #

100D # conf glo 100D (global) # conf sys int 100D (interface) # edit dmz   static   0.0.0.0 0.0.0.0  down   disable   physical ha1   static   0.0.0.0 0.0.0.0  up   disable   physical ha2   static   0.0.0.0 0.0.0.0  up   disable   physical

    1 reply

    Kenundrum
    Kenundrum
    New Member
    April 26, 2017

    No I don't think it's possible to rename the physical ports. I use zones a lot in order to abstract the physical and logical connections- if a change to the physical connections on a device becomes necessary, i don't have to completely rework the ruleset. 

    What i do is name the different interface items with a suffix for what it is. For example, there's the physical interface DMZ as well as DMZ_VLAN and DMZ_ZONE. That is probably your best bet.

    mortirolo
    mortiroloAuthor
    New Member
    April 26, 2017

    yeah there doesn't seem to be anyway of changing a physical port name. I speak to our Fortigate expert in Nice, France every week, will find out for sure form him I hope.

     

     

    emnoc
    emnoc
    New Member
    April 26, 2017

    No you can't craft a interface or zone using any "hard" names

     

    That means you can't craft a interface named port1 or lan 

     

    or a zone name port1 or port2

     

    What you might do is if you  ultimately have to have  "DMZ"  is to look at case sensistively;

     

    e.g

    FGTFW01 (root) # config system zone 

     

    FGTFW01 (zone) # show

     

    FGTFW01 (zone) # edit PORT1

    new entry 'PORT1' added

     

    FGTFW01 (PORT1) # show

    config system zone

        edit "PORT1"

        next

    end

     

    FGTFW01 (PORT1) # next 

     

    FGTFW01 (zone) # edit port1

    the name "port1" conflicts with a system interface of the same name

    node_check_object fail! for name port1

     

    value parse error before 'port1'

    Command fail. Return code -553

     

     

     

    I would caution NOT TODO THIS and take  the other ken's advice b4 me ;) Here's why

     

    A: let's say you have a firewall with no DMZ interface defined

    B: you managed to  craft a  zone named "DMZ"

    C:  you later change to a model that has a "DMZ" interface

    D: your  zone named "DMZ"  will conflict with the interface name

     

     

    It's better just to name the zone with an extension  or prefix

     

    e.g

     

    ZONADMZ

    DMZ_ZONE

    ZONE_DMZ

    Z_DMZ

    DMZ_Z

    etc........

     

     

    YMMV

     

    Ken 

     

    Terms & ConditionsAccessibility statement