Thanks for your quick response. So can all 16 interfaces be configured as different zones?

Yes. If ' zone' stands for ' separate subnet' . There are no restrictions how you use the ports, that is, there are no ' dedicated' ports. One detail though, some ports are Gigabit, and only some Gigabit ports use network processors to accelerate traffic. Thus, you can achieve wirespeed firewalling, or you could offload IPSec encryption/decryption to these NP ports. All other ' regular' traffic is processed by the CPU (AV, IPS, WF,...). The raw power of the 200B is so comfortable that I had never to tweak these special ports for acceleration. Even with a lot of VPN tunnels CPU load stays below 5%. Of course, YMMV. Now some personal opinion: the 300A is old iron. I' d never consider buying one these days. The newer line of Fortigates (310B/620B/1240B, 80C, 200B, 60C) offer line speed GbE firewalling, and partly high AV rates. And you' re right, at incredible low cost. If you' d mentioned your old model I could be more specific but given the comparison between 300A and 200B I assume that you' re looking for a replacement with the power of at least the 300A. Then you' ll be 100% happy with a 200B, no doubt.

Thanks for your response. By zones I was meaning if you designated 1 interface to be the outside or WAN port. Can you setup firewall rules between the wan port and say interface 2 and wan port and interface 3 that do not effect each other? Say you wanted interface 1 to interface 2 all ports open.....interface 1 to interface 3 all ports blocked...as a raw example. Can you do that?

yes, sure. Policies allow or deny traffic between interfaces. Interfaces may be ports, VLAN ports, VPN tunnels, VDOM ports...There are no restrictions how you use them. Default is that when there is no explicit policy for traffic from one interface to another then there is no traffic. Keep in mind that policies control session buildup, not packet flow. For example, if you only have a policy allowing HTTP from internal to WAN then once you contact a remote webserver you are able to receive return traffic - although there is no policy for the return direction (WAN -> internal). But a remote host would never be able to open a session to the internal LAN.

Thank you for your replies: Rwpatterson: I think that is what I am needing. I need to control traffic from one external interface to an internal interface....as well as controlling traffic from the same external interface to a seperate internal interface. I will be hosting some stuff and need to seperate it out....but I dont want to use seperate " outside" interfaces. I also dont want polices effecting more than one " zone" .

Your question has already been answered. One policy controls traffic from WAN to internal1, and another the traffic from WAN to internal2. Both are independent of each other. Policies only affect the two interfaces/ports involved. For clarity, I' d suggest you use the term ' interface' or ' port' instead of ' zone' as there is a ' zone' object in FortiOS that is not meant here. Could it be that you have experience with Juniper/Netscreen firewalls - they use the concept of a ' zone' extensively. It reduces the number of policies needed, and at the same time reduces the explicitness or clarity. If you have several interfaces in a ' public zone' and policies controlling traffic into the ' private zone' then there is only a summary control. What you are intending is policies between ports, and even controlling different services from the external port to internal ports. That is the normality with FortiOS.

We went from a 200A to two 200B' s in HA mode and we have never looked back. We were even able to move our 200A config over to the 200B' s by only exporting the config and using a text editor to change the port names from the 200a to match the ones on the 200B. there was only a couple things that we needed to redo, like all the protection policy' s had to be reset to default and re-applied for some reason.