Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marypoppins
New Contributor

Policy for zone members

Dear All,

 

I try to make a policy in which one of the interface is a zone member, but I can not choose that from the interface list. It seems the zone members can not be used separately. Some interface has common rules, while in addition to those there are rules that specific only for one interface. Is there any hack for this? Thank you

1 Solution
lobstercreed
Valued Contributor

You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question. 

 

In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.

View solution in original post

3 REPLIES 3
lobstercreed
Valued Contributor

You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question. 

 

In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.

ede_pfau
Esteemed Contributor III

Using a policy with interfaces "zone" to "zone" and filtering by address is not uncommon when you use zones - assuming intrazone traffic is blocked. If you compare it to a regular policy, traffic in those is selected/filtered by address as well. So, no reason not to use this setup, it's valid and safe.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
marypoppins

Thank you for your answers!