Maybe this is an easy one but I haven't figured it out. I have 4 LANs, one wired and three WiFi, one is a guest, and one is a IoT. They all need to access the internet, and I have 6 or 7 blocking rules that are repeated for each. I want to have these policies in one place that all internet access goes through. I use Central NAT.
So, I'm guessing I make a VLAN, and put the rules in there. Then just have each LAN exit to this VLAN, and have the VLAN exit to the WAN port. But in this VLAN, what do I do about IP addresses and what about Central NAT? So LAN to VLAN to WAN. Do I just NAT LAN to WAN, like normal, and the VLAN figures it out inside? Anything I need to look out for? Thanks.
Have you considered the usage of Zones? By adding the specific interfaces in a Zone you can then call the Zone instead of separate interfaces in a firewall policy and allow the traffic to the internet. This definitely increases policy management and reduces firewall policies. More into Zones: https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/116821/zone
It looks helpful, but it also appears you can only put interfaces in a Zone if they are completely unused, which means losing several days work, so isn't going to happen.
User | Count |
---|---|
2624 | |
1393 | |
804 | |
670 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.