Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiManager multiple interfaces in each zone
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiManager multiple interfaces in each zone
Hi,
I just started a trial to evaluate the FortiManager product. I am using the latest 5.2 VM for the evaluation. I connected a 5.2.1 FortiOS. I did find out through the forum already that this FortiOS version is not support yet but I don't believe my problems are related to the FortiOS version. I am trying to accomplish the following with FortiManager:
For my test I am using 2 Fortigate firewalls with 2 Vdoms on each. Lets call them A1, A2, B1 and B2. They connect in the following way:
A1 – A2 – B1 – B2
A1 has 2 interfaces called A1-DMZ and A1-LAN.
B2 has 2 interfaces called B2-DMZ and B2-LAN.
I want to be able to create a firewall policy that goes from the interface on A1 to the interface on B2.
In order to do that I would need to map the source and destination zone in each vdom (A1-DMZ and A2-DMZ) . The issue is that there are multiple policies like this with different source and destination zones (A1+B2 DMZ + LAN). The system only allows me to map one zone to an interface. However interfaces that can connect to multiple zones due to them carrying traffic between vdoms are unable to be mapped to the correct zones. This means we are unable to map the correct zones.
I would need to map B2 LAN and B2 DMZ to the interface that goes from A1 to A2. This would allow the system to map the policy on that vdom to that specific link and then create the policy for it.
I am not sure if this is how FortiManager is supposed to work however I cannot see a different way to map the interfaces to zones in order to allow the firewall policies to be created through all the vdoms.
This is the first time I am using FortiManager so please correct me if I am wrong on any of the points.
Thanks, Andreas
Labels:
- Labels:
-
5.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anybody know how to implement a scenario like this where multiple FortiGates are in serial? Do you have to use Any for the interface to map things correctly?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Andreas
Config policy on FMG is similar as config policy on FGT, and if policies are same for all FGTs, you can using interface mapping to map FMG policy package interface to each FGT device/vdom interface
so for example, you have 4 FGT/VDOMs
FGT1v1 has int1_a, int1_b
FGT1v2 has int2_a, int2_b
FGT2v1 has int3_a, int3_b
FGT2v2 has int4_a, int4_b
and you can create 1 policy on FMG with policy package interface FMG_int_a -> FMG_int_b
and then do mapping for
FMG_int_a
FGT1v1 - int1_a
FGT1v2 - int2_a
FGT2v1 - int3_a
FGT2v2 - int4_a
FMG_int_b
FGT1v1 - int1_b
FGT1v2 - int2_b
FGT2v1 - int3_b
FGT2v2 - int4_b
and install that 1 policy to 4 FGT/VDOMs
Thanks
Simon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah that works for me however I am unable to configure policies if I have 3 fortigates in serial:
On a fortigate I will need to be able to link 2 zones to a single interface when the interface links two fortigates together and the zones are on the other side of the connecting fortigate.
In the following example diagram I would need to map zone 1 and 2 to port1 on fortigate 2 and zone 4 and 3 to port 2. This doesn't work as when I try to map the second zone to port 1 or 2 it gives me an error:
I have attached the diagram to show what I am trying to do.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Andreas
FMG policy package interface has 2 mode, default is interface mode (so only can map 1 device interface to that policy interface) and you can check that "Enable Zone" checkbox for policy interface and then you can map multiple device interfaces to that policy interface/zone
Thanks
Simon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah that is what I am trying to use. The issue is when I have 3 Fortigates that connect to each other in serial I end up having to map 2 zones to a single interface on the same vdom/FGT. This brings up the following message:
The new mapping will delete the old mapping
I have to do that in order to be able to route traffic through the middle fortigate to the end locations on fortigate 1 and 3:
Fortigate 1 and 3 have multiple networks connected and each have a connection to Fortigate 2. This means all networks from FG 1 have to connect to FG 2 in order to get to FG 3. This means all zones on FG 1 and 3 have to be mapped to the trunk interfaces on FG 2 in order for the policies to be mapped correctly on install. That seems to make sense in my head but it seems not to be possible. Is there any way to deploy policies in this example and have the interfaces map to correctly to the 3 fortigate devices?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think on your 3 FGTs based on your topology picture, you should have below FGT policy?
1. FGT1 has a policy, from left side zones to right side interface
2. FGT2 has a policy, from left interface port1 to right interface port2
3. FGT3 has a policy, from left interface to right side zones
which means on FMG side, you also need to have these 3 policies, 1 policy for each device, you can have 3 policy package and 1 package per device, or your can use 1 policy package with 3 policies and each has its install-on device
Thanks
Simon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I see. That is what I was trying to avoid. In our environment we have many more Fortigates and Vdoms which makes the policy creation a nightmare. Each service ends up needing about 5-7 policies to be routed through.
Do you know of any other way to make this easier to not have that many policies?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is case by case
for example, for your attached pic topology, I think basically you need 2 policies for each FGT
internal -> external
external -> internal
so on FMG, you may just need 1 policy package with these 2 policies and make policy interface "internal" and "external" as zone interface so you can map multiple device interfaces to the zone
we also support dynamic mapping for address and VIP, so if FGT policy only has address/VIP difference, then you can use 1 policy on FMG side
Thanks
Simon
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- fortimanager template override 106 Views
- Please, please, add metavariable support to... 143 Views
- Publishsing multiple Web sites using FortiGate... 344 Views
- FortiManager - Only show products we... 224 Views
- What happened to my packet capture... 291 Views
Labels
-
FortiGate
8,464 -
FortiClient
1,712 -
5.2
801 -
FortiManager
711 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
219 -
FortiWeb
199 -
5.0
196 -
IPsec
185 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.