Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shagma
New Contributor

Dynamic spokes configuration problem

I' m following the Dynamic spokes configuration example in the FortiOS 4.0 MR2 IPsec handbook. Starting on page 60 the handbook says to define IPsec configuration. I am then told to define a firewall policies by creating a policy with the virtual IPsec interface selcted as the Destination Interface. The next step tells me to create a zone which includes the virtual IPsec interface. The problem is that I' ve already used the virtual IPsec interface in a firewall policy and it seems it cannot be included in a zone at the same time. Is this an error on my part or is the handbook the problem? How should this be configured?
1 REPLY 1
ede_pfau
Esteemed Contributor III

Hi, you can only populate a zone with unbound interfaces. It wouldn' t really make sense to have policies for single interfaces and at the same time compound interfaces (zones) - which one would take precedence? And yes, the Handbook is somewhat misleading in this respect. I will send them a request for reviewing it (if I find the time...). So for you, delete the policies where you use the interface(s), create the hub zone and create the zone policy. Decide whether you allow intra-zone traffic or not. Checking the option is the easiest way to do this. If you don' t you can always allow intra-zone traffic via a separate policy in which you could filter on service, time of day or UTM settings. This is straight from the Handbook.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors