Skip to main content
JEsguerra
JEsguerra
New Member
July 11, 2017
Solved

FortiManager Interface Mapping

  • July 11, 2017
  • 1 reply
  • 22243 views

I am new to the FortiManager. I;ve been working with Fortigate products for a long time but first time in fortimanager and with a new project that consists of over 30 100Ds and a few 900Ds Fortigates.

 

What is the best practice to handle the interfaces for different products, do you create an interface Port1 for each of the models? or just Port1 and it is called in the policies and the packages that are destined to each model?

 

Or do you create a Port1_100D and a Port1_900D in order to segregate them?

 

Anybody has several models installed that can guide me to what has worked for you when it comes to mapping the ports?

 

Thank you kindly.

Best answer by ergotherego

No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).

 

It only matters if you are going to do:

 

1) Shared policy packages across firewalls of different platforms

2) Global policy packages

 

If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.

1 reply

ergotherego
ergotheregoAnswer
New Member
July 11, 2017

No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).

 

It only matters if you are going to do:

 

1) Shared policy packages across firewalls of different platforms

2) Global policy packages

 

If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.

JEsguerra
JEsguerraAuthor
New Member
July 13, 2017

Thank you so much ergotherego. For the people that find this thread with the same question here is what you do:

 

Once you have the FortiGate in the list of devices you need to make sure you "Import Policy" under Device Manager and highlight the unit you want to import the settings from. This is so that you get all the ports listed under: Policy & Objects>Object Configurations>Zone/Interface>Interfaces

 

What ergotherego is referring to is that once you have those interfaces in there then create some zones. This is the most important part because you will add ports to the Zone and then you reference the Zone name in the policies and then you assign the policy to a device and that is how the mapping occurs.

 

So you create a zone in the same Interfaces menu you are by clicking Create New>Zone at the top menus. Name the Zone whatever you want, for example: OfficeLAN, OfficeDMZ, DataCenterWAN, DataCenterLAN, etc...

 

Then, in the same location, double click the Zone, Switch On the Per Device Mapping, Add, select the device and the port. You get a message that it will change the current mapping, select yes, and voila!

 

Run the Install Wizard and you will see the ports and zones you created reflected on the device. Create you policies using the Zone Names.

 

Another way to look at it is like this is with this example:

 

FortiGate1 has 2 ports

Fortigate 2 has 4 Ports

P=Port

 

FortiGate 1 (Office) > P1, P2

FortiGate 2 (DataCenter) > P1, P2, P3, P4

 

Create a zone that will be used in the office for WAN and LAN and another in the DataCenter for the same WAN and LAN

 

Create the Zone and assign the ports

 

OfficeWAN > P1

OfficeLAN > P2

DataCenterWAN > P1

DataCenterLAN > P2

 

You will effectively see P1 and P2 mapped both of the devices but you will call your Zones independently in the Policy Package that will be assigned to a Device.

lkorbasiewicz_FTNT
Staff
lkorbasiewicz_FTNT
Staff
July 19, 2017

Hi,

Just to clarify - you don't need to create zones on FortiManager, you may as well use "Interface" with whatever name you want (like DMZ, OfficeLAN, DCLAN etc) and dynamically map them to physical interfaces of the FortiGate.

Zones are best used if you need to map more than one interface to a zone so you can use it in a policy to simplify it.

 

Best Regards,

Lukasz Korbasiewicz

Fortinet EMEA TAC Lead Engineer

Fortinet NSE7 Certified

To reach support on call:

http://www.fortinet.com/support/contact_support.html

 

Helpful links:

http://kb.fortinet.com

http://video.fortinet.com

http://docs.fortinet.com

Terms & ConditionsAccessibility statement