Fortigate Firewall 802.3ad Aggregate with vlans - "Zone" compatible?

ErrantOsi · ‎05-27-2024

Hello everyone :)

We have a Forti 200F Firewall cluster (HA A/P). It has two uplinks interfaces which are already combined in a zone. The downlink interface is an 802.3ad aggregate with two (X3&X4) members and several layer 3 vlan subinterfaces configured.

I now wanted to create a new zone with some of the layer 3 subinterfaces in it so I can simplify our rule creation.

However, when creating a new zone I can't see our aggregate interface and neither the subinterfaces for selection. Is this maybe not supported for zones? I can't find any explanation online. Thanks!

hbac · ‎05-27-2024

Hi @ErrantOsi,

Those subinterfaces are under 802.3ad aggregate. You can't add it to other physical interface or zone.

Regards,

Brunn3r · ‎05-27-2024

If you have referenced a interface anywhere, you are not able to put it in a zone.
So you have to create a zone and leave it empty. Move the references (mostly Firewall-Rules) to this zone, then you should be able to add the interface into the zone.

Or at first, try it with a newly created test-VLAN.

Toshi_Esumi · ‎05-27-2024

I think those are just used by policies already. And that's why it wouldn't show up as member candidates. If you create a new VLAN on the LAG, it would show up to be added to the new zone.

Toshi

Fortigate Firewall 802.3ad Aggregate with vlans - "Zone" compatible?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website