Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎11-30-2023 05:10 AM Edited on ‎02-26-2024 05:45 AM By Community Manager

Firewall Policy - Zones

Hello forum,

Can somebody give me an example of using Zones if we are going to use Granular policies.
We will restrict the access as much as we can with our traffic.
Example would be:

  • Clients to DC - Only LDAP, HTTPS etc
  • Clients to Servers - Only RDP etc

 

I can't see any difference in managing all of them since we are going to have a lot of policies.
What is different with using Zones over Interfaces. I don't see any advatages in our case.
This is our current without zones:

 

zones.png

 

How it can be more managable if we are using zones if we need to do a granular permissions for everything.
Each VLAN, each service, ports etc

Labels:
1422
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to Infotech22

Created on ‎11-30-2023 08:03 AM

As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

 

In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

 

Toshi

View solution in original post

1398
4 REPLIES 4
adambomb1219
SuperUser
SuperUser

Created on ‎11-30-2023 05:33 AM

If you need granular permissions per VLAN, service, etc then don't use zones.  Why do you want to use zones?  

 

Zones are used when you have "similar" interfaces.  Like for example, you have three subnets for your data center and you want the same policies to apply to each of the three VLANs equally, you place those three interfaces into a "DC Zone".

1415
Infotech22
Contributor
In response to adambomb1219

Created on ‎11-30-2023 05:42 AM

Hello,

It was recommendation by the external partner, that it will be much easier but as I mention I dont see a benefit if we need granular permissions.
It will be the same. Even from internal to external its different so there is no much same policies to apply to few subnets

1413
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Infotech22

Created on ‎11-30-2023 08:03 AM

As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".

Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.

 

In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.

 

Toshi

1399
Infotech22
Contributor
In response to Toshi_Esumi

Created on ‎11-30-2023 10:53 PM

Yes, thank you for the reply.

In our case then Zones are not a benefit. 
This screenshot was only few policies there are a lot more of them, tottally different so I don't have some similar interfaces etc since for each vlan and inter-vlan connection I will need different services, security profiles etc.


1370
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.