Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mdmd
New Contributor

Created on ‎11-26-2015 01:04 AM

Fortigate 200D - v5.0 - Disable VPN

Hi 

 

We are running a couple of Fortigate 200Ds in a HA active passive cluster.

When i go to Features --> VPN and disable, it doesn't actually disable it, the web front end is still visible and users can still login.

 

Is this a bug, disabling or enabling doesnt seem to do anything, apart from when the VPN is disabled, the menu at the side bar is gone, but it is still active

 

Any help?

 

Thanks

 

Mike

11963
0 Kudos
14 REPLIES 14
mdmd
New Contributor
In response to ede_pfau

Created on ‎11-26-2015 06:50 AM 

DMZ	zone
Trust	zone
Untrust	zone
dmz1 ()	interface
dmz2 ()	interface
mesh.root ()	interface
mgmt ()	interface
port3 ()	interface
port4 ()	interface
port7 ()	interface
port8 ()	interface
port9 ()	interface
port10 ()	interface
port11 ()	interface
port12 ()	interface
port13 ()	interface
port14 ()	interface
port15 ()	interface
port16 ()	interface
ssl.root (sslvpn tunnel interface)	interface
wan2 ()	interface

Very helpful, the wan1 is inside the "Untrust" zone  it seems, any idea how to block this 8009 for wan1 now?

2085
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to mdmd

Created on ‎11-26-2015 06:58 AM

OK now - you're hiding the port! Then use the zone the port is in.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2085
0 Kudos
mdmd
New Contributor
In response to ede_pfau

Created on ‎11-26-2015 07:08 AM

Perfect

assigned it to intf "Untrust" and it works, I inherited the config for this firewall (and firewall!), if I may ask, what would be the benefit of hiding the port and putting it in a zone?

 

Thanks again

 

Mike

2085
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to mdmd

Created on ‎11-26-2015 01:51 PM

Not having to re-learn from configuring a Netscreen or Juniper FW!

 

Well, seriously, if you have several ports which you could handle with exactly the same policy (like 5 VPNs from branch offices) then you work with one zone in one policy instead of 5 similar ones. The drawback is that you lose access to the individual ports once they are in a zone.

 

In short: a zone with just one port in it is only good for renaming a port. Still, I once ran into a situation where I had a zone just for renaming and some config couldn't be done...I just forgot what it was. I had to unravel the zone to make it work. Since then I stay away from zones.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2084
0 Kudos
emnoc
Esteemed Contributor III
In response to ede_pfau

Created on ‎11-26-2015 02:24 PM

Zones are good when it comes to minimizing rules and like-as rules. But they can be a challenge in the long run (once you go zones it hard to undo or unravel them like what ede stated)

 

You can always add one member and craft multiple zones. This ideal is great if your re-engineering your security segment and migration from one layer3 to another and keeping the same rules.

 

Think it out, have a plan and research your design. I used a mix or  zone and non-zones nowadays and with firewalls like PAs and SRXs you can't avoid the zone-based concepts.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2084
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.