Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shawn-ev
New Contributor

Created on ‎06-12-2023 01:06 PM

Create a Zone for fortiswitch VLANs

We have an FG-100F and a 48-port POE switch. We use Fortilink to our 48-port switch, and we create/manage the VLANs through switch under the WiFi & Switch Controller ==> FortiSwitch VLANs on the GUI. Is it possible to group VLANs created on the FortiSwitch into a single Zone in the same way you can group VLANs created on the firewall?

Labels:
521
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎06-13-2023 01:22 AM

Yes you can.

The VLAN interface should not be part of any policy in able to be added in the zone.

2023-06-13 10_07_43-FortiGate - GW — Mozilla Firefox.png

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

500
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎06-13-2023 01:22 AM

Yes you can.

The VLAN interface should not be part of any policy in able to be added in the zone.

2023-06-13 10_07_43-FortiGate - GW — Mozilla Firefox.png

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
501
0 Kudos
shawn-ev
New Contributor
In response to ebilcari

Created on ‎06-13-2023 06:08 AM Edited on ‎06-13-2023 07:24 AM

Thank you for your help. I have a follow-on question.

Based on your answer, I would have to remove all the existing policies assigned to the various individual VLANs. After the VLANs are part of a zone, will I be able to create polices around the individual VLANs, or would I be limited to creating policies on the entire zone?

edit: grammar and clarity

485
0 Kudos
ebilcari
Staff
Staff
In response to shawn-ev

Created on ‎06-13-2023 08:20 AM

Basically yes, the zone should include all the interfaces that need to have the same set of security/policy rules, https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/116821/zone

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
475
0 Kudos
shawn-ev
New Contributor
In response to ebilcari

Created on ‎06-13-2023 08:25 AM

Thank you!

472
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎06-14-2023 12:48 AM

Just to clarify:

the whole concept of a zone is to group interfaces in order to eliminate (lots of) policies, thus making the policy table easier to grasp and handle.

In a policy, you would use the new zone as a source or destination interface - you just cannot select any interface which is member of a zone. BUT...you can always limit the traffic matching a policy by an address object.

 

For example, you group vlan1, vlan2 and vlan3 into zone "VLANS". In order to write a policy which should only deal with vlan1, you create an address object "vlan1_LAN" like 10.121.14.0/24, and use it in the policy. Even though the source interface is zone "VLANS", having the source address set as "vlan1_LAN" will only permit vlan1 traffic to be policed here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
450
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.