FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff
Article Id 195034

Description

By default, VPN manager creates three special ADOM zones for each IPsec VPN community.

This article describes how to use the VPN manager default zones in policies.



Name format is:

vpnmgr_<CommunityName>_hub2spoke
vpnmgr_<CommunityName>_mesh
vpnmgr_<CommunityName>_spoke2hub

For example, these three Communities will generate the following Default Zones.
 
 
 
 
 
 
These zones are to be used in the security policies for the VPN gateways and cannot be manually edited or mapped.
During the installation process VPN manager is dynamically mapping the tunnel interfaces of each gateway as members of the corresponding default zones.

If a zone used in a policy is not applicable to the gateway type and/or community membership, the respective policy is skipped during the installation.

This approach allows single policy package to be installed to multiple managed FortiGates, and only the policies relevant for the respective gateway to be installed.

However, in another use case (separate policy package for each gateway), using wrong zone in a policy, may cause FortiManager to skip it during the installation.

In this example, the '…spoke2hub' zone is incorrectly used in policy id 1 of a Policy Package, meant to be installed only to the Hub gateway.
 
As a result, policy 1 is skipped at the Copy step of the installation:
 
 


Solution
The examples below, demonstrate how to use the Default Zones in separate Policy Packages (one for each type of managed gateway).

1) Mesh.
 
In 'Mesh' community, only the respective 'vpnmgr_<CommunityName>_mesh' zone is installed.
 
 
 
 
2) Hub and Spoke.

In 'Hub and Spoke' community, only the respective hub2spoke and spoke2hub zones is installed:

'vpnmgr_<CommunityName>_hub2spoke' is to the policies of the Hub.
 
 
 
 
'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
 
 
 
 
3) Dial-Up.

In 'Dial-Up' community, similar to 'Hub and Spoke', only the respective hub2spoke and spoke2hub zones are installed:

'vpnmgr_<CommunityName>_hub2spoke' is applied to the policies of the hub.
 
 

 
 
'vpnmgr_<CommunityName>_spoke2hub' is applied to the policies of all Spokes within the respective community.
 
 
 
 
In all three examples, using zones not relevant to the gateway type, or for incorrect community, will cause FortiManager to skip some policies during install.
Contributors