Description
Name format is:
vpnmgr_<CommunityName>_hub2spoke
vpnmgr_<CommunityName>_mesh
vpnmgr_<CommunityName>_spoke2hub
For example, these three Communities will generate the following Default Zones.These zones are to be used in the security policies for the VPN gateways and cannot be manually edited or mapped.
During the installation process VPN manager is dynamically mapping the tunnel interfaces of each gateway as members of the corresponding default zones.
If a zone used in a policy is not applicable to the gateway type and/or community membership, the respective policy is skipped during the installation.
This approach allows single policy package to be installed to multiple managed FortiGates, and only the policies relevant for the respective gateway to be installed.
However, in another use case (separate policy package for each gateway), using wrong zone in a policy, may cause FortiManager to skip it during the installation.
In this example, the '…spoke2hub' zone is incorrectly used in policy id 1 of a Policy Package, meant to be installed only to the Hub gateway.As a result, policy 1 is skipped at the Copy step of the installation:
Solution
The examples below, demonstrate how to use the Default Zones in separate Policy Packages (one for each type of managed gateway).
1) Mesh.In 'Mesh' community, only the respective 'vpnmgr_<CommunityName>_mesh' zone is installed.
2) Hub and Spoke.
In 'Hub and Spoke' community, only the respective hub2spoke and spoke2hub zones is installed:
'vpnmgr_<CommunityName>_hub2spoke' is to the policies of the Hub.
'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
3) Dial-Up.
In 'Dial-Up' community, similar to 'Hub and Spoke', only the respective hub2spoke and spoke2hub zones are installed:
'vpnmgr_<CommunityName>_hub2spoke' is applied to the policies of the hub.
'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
In all three examples, using zones not relevant to the gateway type, or for incorrect community, will cause FortiManager to skip some policies during install.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.