I am new to the FortiManager. I;ve been working with Fortigate products for a long time but first time in fortimanager and with a new project that consists of over 30 100Ds and a few 900Ds Fortigates.
What is the best practice to handle the interfaces for different products, do you create an interface Port1 for each of the models? or just Port1 and it is called in the policies and the packages that are destined to each model?
Or do you create a Port1_100D and a Port1_900D in order to segregate them?
Anybody has several models installed that can guide me to what has worked for you when it comes to mapping the ports?
Thank you kindly.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).
It only matters if you are going to do:
1) Shared policy packages across firewalls of different platforms
2) Global policy packages
If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.
No need to worry about naming the interfaces differently across different platforms inside FMG. You just need to remember to reference the proper interface when creating new policies, otherwise install will fail (zone validation).
It only matters if you are going to do:
1) Shared policy packages across firewalls of different platforms
2) Global policy packages
If you need to account for one of those things, my recommendation is to zone all interfaces on every firewall. Then your policies reference the zone - ie, Public, Camers, etc, etc.
Thank you so much ergotherego. For the people that find this thread with the same question here is what you do:
Once you have the FortiGate in the list of devices you need to make sure you "Import Policy" under Device Manager and highlight the unit you want to import the settings from. This is so that you get all the ports listed under: Policy & Objects>Object Configurations>Zone/Interface>Interfaces
What ergotherego is referring to is that once you have those interfaces in there then create some zones. This is the most important part because you will add ports to the Zone and then you reference the Zone name in the policies and then you assign the policy to a device and that is how the mapping occurs.
So you create a zone in the same Interfaces menu you are by clicking Create New>Zone at the top menus. Name the Zone whatever you want, for example: OfficeLAN, OfficeDMZ, DataCenterWAN, DataCenterLAN, etc...
Then, in the same location, double click the Zone, Switch On the Per Device Mapping, Add, select the device and the port. You get a message that it will change the current mapping, select yes, and voila!
Run the Install Wizard and you will see the ports and zones you created reflected on the device. Create you policies using the Zone Names.
Another way to look at it is like this is with this example:
FortiGate1 has 2 ports
Fortigate 2 has 4 Ports
P=Port
FortiGate 1 (Office) > P1, P2
FortiGate 2 (DataCenter) > P1, P2, P3, P4
Create a zone that will be used in the office for WAN and LAN and another in the DataCenter for the same WAN and LAN
Create the Zone and assign the ports
OfficeWAN > P1
OfficeLAN > P2
DataCenterWAN > P1
DataCenterLAN > P2
You will effectively see P1 and P2 mapped both of the devices but you will call your Zones independently in the Policy Package that will be assigned to a Device.
Hi,
Just to clarify - you don't need to create zones on FortiManager, you may as well use "Interface" with whatever name you want (like DMZ, OfficeLAN, DCLAN etc) and dynamically map them to physical interfaces of the FortiGate.
Zones are best used if you need to map more than one interface to a zone so you can use it in a policy to simplify it.
Best Regards,
Lukasz Korbasiewicz
Fortinet EMEA TAC Lead Engineer
Fortinet NSE7 Certified
To reach support on call:
http://www.fortinet.com/support/contact_support.html
Helpful links:
Lukasz Korbasiewicz,
Fortinet TAC Support
Hi thanks for all for explaining this.
I know we can make policy by interface also. and also we can make zones in fortigate. But my below question is for fortmanager.
in fortimanager as per me there are 3 methods to do interface mapping. So are those 3 methods same ? or they are having something different or they are placed in 3 different locations for at-least anyone or reason except comfort.
Method-1 for mapping 1.Create zone in Policy option without per device mapping 2. Go to any interface in Device & Groups and edit Interface/Vlan 3. In "Map to Policy Interface - Assign the zone you want that interface to be part of.
Method-2 for mapping Right click on any interface which you want to map and select "EDIT Interface Map" and assign the zone.
Method-3 Create the Zone in policy& Object section. Do per device mapping. In Device & Group that interface will be showing under the currently chosen zone.
in FMG Version 5.6.2 all these methods seems same to me. when i add interface from device& Manager it shows me under zones > per device mapping in policy and object section.
and in new version 6.2 i think its different.
you can use zone without per device mapping also.
Thanks in advance.
attached are the images
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.