Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JEsguerra
New Contributor

FortiManager Interface Mapping

I am new to the FortiManager. I;ve been working with Fortigate products for a long time but first time in fortimanager and with a new project that consists of over 30 100Ds and a few 900Ds Fortigates.

 

What is the best practice to handle the interfaces for different products, do you create an interface Port1 for each of the models? or just Port1 and it is called in the policies and the packages that are destined to each model?

 

Or do you create a Port1_100D and a Port1_900D in order to segregate them?

 

Anybody has several models installed that can guide me to what has worked for you when it comes to mapping the ports?

 

Thank you kindly.

1 Solution
ergotherego
Contributor II

No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).

 

It only matters if you are going to do:

 

1) Shared policy packages across firewalls of different platforms

2) Global policy packages

 

If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.

View solution in original post

5 REPLIES 5
ergotherego
Contributor II

No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).

 

It only matters if you are going to do:

 

1) Shared policy packages across firewalls of different platforms

2) Global policy packages

 

If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.

JEsguerra

Thank you so much ergotherego. For the people that find this thread with the same question here is what you do:

 

Once you have the FortiGate in the list of devices you need to make sure you "Import Policy" under Device Manager and highlight the unit you want to import the settings from. This is so that you get all the ports listed under: Policy & Objects>Object Configurations>Zone/Interface>Interfaces

 

What ergotherego is referring to is that once you have those interfaces in there then create some zones. This is the most important part because you will add ports to the Zone and then you reference the Zone name in the policies and then you assign the policy to a device and that is how the mapping occurs.

 

So you create a zone in the same Interfaces menu you are by clicking Create New>Zone at the top menus. Name the Zone whatever you want, for example: OfficeLAN, OfficeDMZ, DataCenterWAN, DataCenterLAN, etc...

 

Then, in the same location, double click the Zone, Switch On the Per Device Mapping, Add, select the device and the port. You get a message that it will change the current mapping, select yes, and voila!

 

Run the Install Wizard and you will see the ports and zones you created reflected on the device. Create you policies using the Zone Names.

 

Another way to look at it is like this is with this example:

 

FortiGate1 has 2 ports

Fortigate 2 has 4 Ports

P=Port

 

FortiGate 1 (Office) > P1, P2

FortiGate 2 (DataCenter) > P1, P2, P3, P4

 

Create a zone that will be used in the office for WAN and LAN and another in the DataCenter for the same WAN and LAN

 

Create the Zone and assign the ports

 

OfficeWAN > P1

OfficeLAN > P2

DataCenterWAN > P1

DataCenterLAN > P2

 

You will effectively see P1 and P2 mapped both of the devices but you will call your Zones independently in the Policy Package that will be assigned to a Device.

lkorbasiewicz_FTNT

Hi,

Just to clarify - you don't need to create zones on FortiManager, you may as well use "Interface" with whatever name you want (like DMZ, OfficeLAN, DCLAN etc) and dynamically map them to physical interfaces of the FortiGate.

Zones are best used if you need to map more than one interface to a zone so you can use it in a policy to simplify it.

 

Best Regards,

Lukasz Korbasiewicz

Fortinet EMEA TAC Lead Engineer

Fortinet NSE7 Certified

To reach support on call:

http://www.fortinet.com/support/contact_support.html

 

Helpful links:

http://kb.fortinet.com

http://video.fortinet.com

http://docs.fortinet.com

Lukasz Korbasiewicz,

Fortinet TAC Support

ss198939

Hi thanks for all for explaining this.

I know we can make policy by interface also. and also we can make zones in fortigate. But my below question is for fortmanager.

 

in fortimanager as per me there are 3 methods to do interface mapping. So are those 3 methods same ? or they are having something different or they are placed in 3 different locations for at-least anyone or reason except comfort.

 

Method-1 for mapping 1.Create zone in Policy option without per device mapping 2. Go to any interface in Device & Groups and edit Interface/Vlan 3. In "Map to Policy Interface - Assign the zone you want that interface to be part of.

 

Method-2 for mapping Right click on any interface which you want to map and select "EDIT Interface Map" and assign the zone.

 

Method-3 Create the Zone in policy& Object section. Do per device mapping. In Device & Group that interface will be showing under the currently chosen zone.

 

in FMG Version 5.6.2 all these methods seems same to me. when i add interface from device& Manager it shows me under zones > per device mapping in policy and object section.

 

and in new version 6.2 i think its different.

you can use zone without per device mapping also.

 

Thanks in advance.

 

 

ss198939

attached are the images