FortiManager multiple interfaces in each zone

andreasfelder · ‎11-08-2014

Hi,

I just started a trial to evaluate the FortiManager product. I am using the latest 5.2 VM for the evaluation. I connected a 5.2.1 FortiOS. I did find out through the forum already that this FortiOS version is not support yet but I don't believe my problems are related to the FortiOS version. I am trying to accomplish the following with FortiManager:

For my test I am using 2 Fortigate firewalls with 2 Vdoms on each. Lets call them A1, A2, B1 and B2. They connect in the following way:

A1 – A2 – B1 – B2

A1 has 2 interfaces called A1-DMZ and A1-LAN.

B2 has 2 interfaces called B2-DMZ and B2-LAN.

I want to be able to create a firewall policy that goes from the interface on A1 to the interface on B2.

In order to do that I would need to map the source and destination zone in each vdom (A1-DMZ and A2-DMZ) . The issue is that there are multiple policies like this with different source and destination zones (A1+B2 DMZ + LAN). The system only allows me to map one zone to an interface. However interfaces that can connect to multiple zones due to them carrying traffic between vdoms are unable to be mapped to the correct zones. This means we are unable to map the correct zones.

I would need to map B2 LAN and B2 DMZ to the interface that goes from A1 to A2. This would allow the system to map the policy on that vdom to that specific link and then create the policy for it.

I am not sure if this is how FortiManager is supposed to work however I cannot see a different way to map the interfaces to zones in order to allow the firewall policies to be created through all the vdoms.

This is the first time I am using FortiManager so please correct me if I am wrong on any of the points.

Thanks, Andreas

andreasfelder · ‎12-29-2014

Does anybody know how to implement a scenario like this where multiple FortiGates are in serial? Do you have to use Any for the interface to map things correctly?

scao_FTNT · ‎12-29-2014

Hi, Andreas

Config policy on FMG is similar as config policy on FGT, and if policies are same for all FGTs, you can using interface mapping to map FMG policy package interface to each FGT device/vdom interface

so for example, you have 4 FGT/VDOMs

FGT1v1 has int1_a, int1_b

FGT1v2 has int2_a, int2_b

FGT2v1 has int3_a, int3_b

FGT2v2 has int4_a, int4_b

and you can create 1 policy on FMG with policy package interface FMG_int_a -> FMG_int_b

and then do mapping for

FMG_int_a

FGT1v1 - int1_a

FGT1v2 - int2_a

FGT2v1 - int3_a

FGT2v2 - int4_a

FMG_int_b

FGT1v1 - int1_b

FGT1v2 - int2_b

FGT2v1 - int3_b

FGT2v2 - int4_b

and install that 1 policy to 4 FGT/VDOMs

Thanks

Simon

andreasfelder · ‎12-29-2014

Yeah that works for me however I am unable to configure policies if I have 3 fortigates in serial:

On a fortigate I will need to be able to link 2 zones to a single interface when the interface links two fortigates together and the zones are on the other side of the connecting fortigate.

In the following example diagram I would need to map zone 1 and 2 to port1 on fortigate 2 and zone 4 and 3 to port 2. This doesn't work as when I try to map the second zone to port 1 or 2 it gives me an error:

I have attached the diagram to show what I am trying to do.

scao_FTNT · ‎12-29-2014

Hi, Andreas

FMG policy package interface has 2 mode, default is interface mode (so only can map 1 device interface to that policy interface) and you can check that "Enable Zone" checkbox for policy interface and then you can map multiple device interfaces to that policy interface/zone

Thanks

Simon

andreasfelder · ‎12-29-2014

Yeah that is what I am trying to use. The issue is when I have 3 Fortigates that connect to each other in serial I end up having to map 2 zones to a single interface on the same vdom/FGT. This brings up the following message:

The new mapping will delete the old mapping

I have to do that in order to be able to route traffic through the middle fortigate to the end locations on fortigate 1 and 3:

Fortigate 1 and 3 have multiple networks connected and each have a connection to Fortigate 2. This means all networks from FG 1 have to connect to FG 2 in order to get to FG 3. This means all zones on FG 1 and 3 have to be mapped to the trunk interfaces on FG 2 in order for the policies to be mapped correctly on install. That seems to make sense in my head but it seems not to be possible. Is there any way to deploy policies in this example and have the interfaces map to correctly to the 3 fortigate devices?

scao_FTNT · ‎12-29-2014

I think on your 3 FGTs based on your topology picture, you should have below FGT policy?

1. FGT1 has a policy, from left side zones to right side interface

2. FGT2 has a policy, from left interface port1 to right interface port2

3. FGT3 has a policy, from left interface to right side zones

which means on FMG side, you also need to have these 3 policies, 1 policy for each device, you can have 3 policy package and 1 package per device, or your can use 1 policy package with 3 policies and each has its install-on device

Thanks

Simon

andreasfelder · ‎12-29-2014

Ok I see. That is what I was trying to avoid. In our environment we have many more Fortigates and Vdoms which makes the policy creation a nightmare. Each service ends up needing about 5-7 policies to be routed through.

Do you know of any other way to make this easier to not have that many policies?

scao_FTNT · ‎12-29-2014

I think this is case by case

for example, for your attached pic topology, I think basically you need 2 policies for each FGT

internal -> external

external -> internal

so on FMG, you may just need 1 policy package with these 2 policies and make policy interface "internal" and "external" as zone interface so you can map multiple device interfaces to the zone

we also support dynamic mapping for address and VIP, so if FGT policy only has address/VIP difference, then you can use 1 policy on FMG side

Thanks

Simon