| Description |
This article discusses the cause of an issue when an interface is unable to be removed from a zone. |
| Scope | FortiGate. |
| Solution |
Under some circumstances, an interface cannot be removed from a zone.
Note: This article refers to interface zones and not SD-WAN zones.
In this example, there are three zones. Attempting to remove port2 from the Outside zone fails.
Removing port2 in the GUI:
No errors are displayed in the GUI, however, port2 remains in the zone.
When trying to remove port2 from the zone on the CLI, the following error is observed:
Outside is used in policy. port2 can not be removed. [set_member_to_context_data:4451] node_unset_object(port2) error
The cause of this issue is that there is a firewall policy using a VIP with port2 as the external interface.
VIP using port2 as the external interface:
Firewall Policy using the VIP as a destination:
By removing the VIP from the policy, port2 can successfully be removed from the zone.
The GUI no longer displays port2 as part of the zone:
For more information about configuring zones, see: Zone.
Related articles: Technical Tip: Virtual IP (VIP) port forwarding configuration Technical Tip: Pros and Cons of using 'any' for Virtual IP Interface versus a specific interface |
