Skip to main content
Willem_K_63
Willem_K_63
Visitor III
January 31, 2025
Question

Normalized interface question.

  • January 31, 2025
  • 5 replies
  • 2326 views

LS,


I have 2 questions with regards to Fortimanager and normalized interfaces.

1. Is it possible, or will it be possible, to map 2 (or more) interfaces in the device mapping to 1 normalized interface. Example, VOICE (SSID) and VOICE (VLAN) interfaces being mapped in the Device Mapping to the normalized interface "Voice"

 

2. Assume I have a normalized interface Voice-ssid with in the device mapping all the fortigates(ssid) with an Voice SSID interface. I also have a normalized interface Voice-vlan with in the device mapping all the fortigates(vlan) with an Voice VLAN interface.
Note that Fortigates(ssid) is not equal to fortigates(vlan).
Some fortigates have only Voice-ssid, Some have Voice-vlan and some have both.

My question is, can a policy-block where "incoming interface" has both the "Voice-ssid" and "Voice-vlan" applied on all the fortigates in my estate?


5 replies

funkylicious
SuperUser
funkylicious
SuperUser
January 31, 2025

1. yes, you can map multiple interfaces to a single normalized interface

when you create the normalized interface, let's call it VOICE you can edit it and in it you can do per-device mapping and then select the device/FortiGate and interfaces that would be used when it's referenced.

then you can create a firewall rule using the normalized interface as incoming and push it to the FGTs and each one with have their specific interface in the rule visible locally on it.

 

ex, I created a normalized interface called VOICE and then assigned port3 from each device in the list. then I created a firewall rule referencing the normalized interface as source and then a push to the gates will do the trick:

Screenshot 2025-01-31 at 18.29.24.png

 

Screenshot 2025-01-31 at 18.29.47.png

 

Screenshot 2025-01-31 at 18.30.33.png

"jack of all trades, master of none"
    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 31, 2025

    Hi @Willem_K_63 , 

     

    For the first question, when different real interfaces point to the same normalized interface, it will create dynamic mapping.

      Willem_K_63
      Willem_K_63Author
      Visitor III
      February 3, 2025

      Hmm.. with regards to my first question, I perhaps did not express myself clearly enough.
      Is it possible to map 2 different interfaces, VOICE (SSID) and VOICE (VLAN), from 1 fortigate into 1 single normalized interface "Voice"?
      We are using FortiManager 7.2.8.

      @funkyliciousthanks for your quick response.
      I do understand how the device mapping works and how they should be used in a policy.
      I'm having some discussion with our integrator who claims that "a policy-block where "incoming interface" has both the "Voice-ssid" and "Voice-vlan" applied on all the fortigates in my estate" will not work.
      Keep in mind that Fortigates(ssid) is not equal to fortigates(vlan) and some fortigates have only Voice-ssid, Some have Voice-vlan and some have both.
      The reason for reaching out is that I have my doubts about the integrators statement.

      Willem_K_63
      Willem_K_63Author
      Visitor III
      February 21, 2025

      With regards to my first question, 2 different interfaces on 1 fortigate being mapped to 1 normalized interface apparently is not possible.
      When you do the device mapping it is not possible to select 2 interfaces on one fortigate.

       

      With regards to the second question:
      If a "normalized interface name" is not available on a fortigate the installation will fail.

      So that does not work either. With 7.4. FMG you are able to solve this with additional policies and selecting an installation target.

      Thanks for all the feedback.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 21, 2025

      I think, only I think, you @Willem_K_63 want No.1 because you want to apply the same policy to either or both of "VOICE" interface, regardless it's wired VLAN and/or WiFi SSID. Am I wrong?
      Then, if that's the case, the best/smart option wouldn't be doing it at the FMG, but setting up a zone to include all VOICE related interfaces, so that you don't need separate policies for each interface.

      Toshi

      sw2090
      SuperUser
      sw2090
      SuperUser
      February 25, 2025

      I understood you have several FGT in FMG some of which have two voice interfaces and some have only one. 

      One solution is to create an interface zone on every of your Fortigates and add those interface(s) to it and then map that to one normalized interface. Then FMG will deploy the corrsponding zone to the Fortigates and that zone could have just one member or more. That should cope your requirements if i got them correctly.

      Willem_K_63
      Willem_K_63Author
      Visitor III
      February 25, 2025

      @sw2090 @Toshi_Esumi Thanks for the feedback. That was indeed an option mentioned by our MSP. We decided not to do this, honestly, I do not recall the reason. :(
      @dingjerry_FTNT Thanks for the feedback. I believe I have got the point. Thanks.

      Terms & ConditionsAccessibility statement