I' m following the Dynamic spokes configuration example in the FortiOS 4.0 MR2 IPsec handbook.
Starting on page 60 the handbook says to define IPsec configuration. I am then told to define a firewall policies by creating a policy with the virtual IPsec interface selcted as the Destination Interface.
The next step tells me to create a zone which includes the virtual IPsec interface. The problem is that I' ve already used the virtual IPsec interface in a firewall policy and it seems it cannot be included in a zone at the same time.
Is this an error on my part or is the handbook the problem? How should this be configured?
you can only populate a zone with unbound interfaces. It wouldn' t really make sense to have policies for single interfaces and at the same time compound interfaces (zones) - which one would take precedence?
And yes, the Handbook is somewhat misleading in this respect. I will send them a request for reviewing it (if I find the time...).
So for you, delete the policies where you use the interface(s), create the hub zone and create the zone policy. Decide whether you allow intra-zone traffic or not. Checking the option is the easiest way to do this. If you don' t you can always allow intra-zone traffic via a separate policy in which you could filter on service, time of day or UTM settings. This is straight from the Handbook.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.