Hello forum,
Can somebody give me an example of using Zones if we are going to use Granular policies.
We will restrict the access as much as we can with our traffic.
Example would be:
I can't see any difference in managing all of them since we are going to have a lot of policies.
What is different with using Zones over Interfaces. I don't see any advatages in our case.
This is our current without zones:
How it can be more managable if we are using zones if we need to do a granular permissions for everything.
Each VLAN, each service, ports etc
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".
Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.
In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.
Toshi
If you need granular permissions per VLAN, service, etc then don't use zones. Why do you want to use zones?
Zones are used when you have "similar" interfaces. Like for example, you have three subnets for your data center and you want the same policies to apply to each of the three VLANs equally, you place those three interfaces into a "DC Zone".
Hello,
It was recommendation by the external partner, that it will be much easier but as I mention I dont see a benefit if we need granular permissions.
It will be the same. Even from internal to external its different so there is no much same policies to apply to few subnets
As @adambomb1219 mentioned, a zone is a collection of interfaces. In your case all of your policies are from/to NOV_Clients to/from NOV_DMZ. So nothing to be bound together.
If the servers in NOV_DMZ are separated by mutipul VLANs, those VLANs are separate interfaces and you might want to bind them together as a zone. But I don't see much reason to do that if those policies need to be set up "by hosts".
Zones are useful like when you have a primary internet circuit and a seconday with a failover mechanism. Because the usage between them are the same so you can apply the same set of policies. Then it would make sense to have a zone "Internet" to have both circuits then set just one set of polices.
In other words, when you started seeing exactly the same policies but only src or dst interface is different a lot, it's the time you should consider binding them into a zone.
Toshi
Yes, thank you for the reply.
In our case then Zones are not a benefit.
This screenshot was only few policies there are a lot more of them, tottally different so I don't have some similar interfaces etc since for each vlan and inter-vlan connection I will need different services, security profiles etc.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.