Skip to main content
userzer0
userzer0
Explorer
January 25, 2018
Question

VPNs and Zones?

  • January 25, 2018
  • 2 replies
  • 12193 views

I'm new to Fortigate and am trying to mirror a setup that we've successfully deployed across hundreds of firewalls from from a couple different vendors. We spoke with support regarding this, but my level of confidence in the conversation is low, so i'd like to run it the forum for a second opinion...

 

We have "spoke" locations that terminate tunnels to two "hub" locations, one primary and one backup.

 

We'd typically build route based tunnels and put VPN_1 and VPN_2 into the same zone (VPN) our firewall policies and address objects would then be based on the LAN and VPN zones:

LAN > VPN

VPN > LAN

 

The support tech we spoke with, suggested that a fortigate will not support the above setup (that we cannot group VPN interfaces into a single zone), which means we'd have to do something like:

LAN > VPN_1

LAN > VPN_2

VPN_1 > LAN

VPN_2 > LAN

 

The problem is that on many of the firewalls we're looking at, we're talking hundreds, if not thousands, of address objects (including groups) and hundreds of firewall policies that would have to be duplicated.

 

At the end of the day, I suppose it's not THAT much work to duplicate the configs... we'd just build one config that would be based on VPN_1, then find-replace instances of VPN_1 with VPN_2 (and renumber policies as needed), but that seems like a inefficient process and also one that increases the potential for error.

 

Can anyone comment regarding the viability of grouping VPN interfaces into the same zone and how to make it work (if it's possible)?

 

Thank you in advance,

Chris

    2 replies

    neonbit
    neonbit
    New Member
    January 28, 2018

    What they told you was wrong, you can definitely put VPN interfaces in zones. I've done your setup many times, having a hub with multiple VPNs to different offices, group all the VPN interfaces in a VPN zone and create a policy from lan > VPN and VPN > lan.

     

    Only thing to note is that with interzone traffic (ie: if the two spoke sites want to talk to each other through the hub) you have only two options, to either allow all traffic between them, or deny all traffic between them. If you want more granular control over what the spokes can speak to each other on then you'll need to take them out of the zone and create separate policies.

    smartit
    smartit
    New Member
    July 7, 2022

    This is not true. You could block intra-zone traffic and allow only certain traffic inside the zone with policies, for example if you have ZONE-A, use policy with source ZONE-A -> ZONE-A, e.g. control network traffic inside the zone with source and destination fields.

    UTM4thewin
    UTM4thewin
    New Member
    January 28, 2018

    Counldn't you just enable the "Multiple Interface Policies" feature and create your policies with multiple interfaces instead of a single zone?

    emnoc
    emnoc
    New Member
    January 29, 2018

    I have to agreed , what you where told is wrong. You can place dozens if not hundred of "interfaces" including a route-based-Intf in a zone. We do that at my  day job for simple and effective fwpolicy managements

    Terms & ConditionsAccessibility statement