Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Created on ‎09-01-2022 03:26 PM

Fortigate WAN settings

This is a Fortigate 80F in mid-stages of configuration.

In Network/Interfaces, I see:

LAN(1) Internal Hardware Switch    Type Hardware Switch  Members Internal-1>Internal-6 

Internal-1 has an IP/Netmask which I presume applies to 1-6.

WAN(2) has

FGWAN1(wan1)  Physical Interface with an IP address

wan1                     Physical interface with 00.0.0./0.0.0.0

 

Now, I am planning to set up a 2nd WAN interface but not yet.

In the meantime, I want to set up an EXTERNAL ZONE with wan1 and wan2 but only wan2 is available it seems.   <<<So that's really the issue.

In the end, I should think there would be:

wan1 with an IP address

wan2 with a separate IP address

and an EXTERNAL ZONE with both of them in the zone.

 

 

Fred Marshall
Fred Marshall
Labels:
3077
0 Kudos
2 Solutions
vsahu
Staff
Staff

Created on ‎09-03-2022 05:56 AM

Hello Fred,


Go to Network >> Interface and click on the reference number for wan 1

vsahu_0-1662209473408.png

You'll be able to see something like below, once you select the object you'll be able to edit and delete it. In this config because of firewall policy is using port1 I was not able to create a zone with port1.

In your scenario just match the same reference between wan1 and wan2, and once you delete the reference which is causing this behavior you'll be able to call the interface in the zone. Generally it always firewall policy.

vsahu_3-1662209577935.png

 

 

Regards,
Vishal

View solution in original post

3029
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-03-2022 10:36 AM

Most likely your usage of wan1 is the same with Vishal's. At least one policy is using it with a default static route or more. Zone can be used only in policies, not for routing. So if you don't see wan1 in the candidate of the members of a zone, it has to be a policy or policies using it.

 

As Vishal's screen shot, the number on the policy after the name (DNS) is the policy ID. You can find it after you add "ID" in the table setting of Firewall policy page.

Toshi_Esumi_0-1662226419311.png


Or, if you've chosen (it's by default) Interface Pair View in the policy page, you should see "wan1" is in the interface pairs.

 

Toshi

View solution in original post

3019
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-01-2022 03:37 PM

Probably because the default policy #1 is using wan1 already. Just remove the policy.

 

Toshi

3067
fred339
Contributor

Created on ‎09-01-2022 04:48 PM

I don't find anything like that.....

Fred Marshall
Fred Marshall
3062
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to fred339

Created on ‎09-01-2022 05:06 PM

That's very unusual if you've gotten a brand-new 80F and started configuring it at the first time. Are you sure Policy & Objects->Firewall Policy is empty? Or none of them you created is using wan1?

Then what do you see at the end of row "wan1" under Network->interfaces page? There should be "Ref." column showing the number of references. Is it '0'? I'm almost sure it's NOT '0'.

 

Toshi

3058
fred339
Contributor

Created on ‎09-02-2022 10:01 AM Edited on ‎09-02-2022 02:54 PM

It's not brand-new.  

Thanks for the pointers re: how to find this.

In Network/Interfaces I see "3" under Ref. for wan1
If I open the "3", then I see 3 entries each with Ref = 0 and no more information there.
So, I feel like I'm getting somewhere but haven't arrived yet.

Thanks!

..I do have an IP assigned to wan1 but that wouldn't seem to me to affect Zone definition.

Would it?

Fred Marshall
Fred Marshall
3046
0 Kudos
vsahu
Staff
Staff

Created on ‎09-03-2022 05:56 AM

Hello Fred,


Go to Network >> Interface and click on the reference number for wan 1

vsahu_0-1662209473408.png

You'll be able to see something like below, once you select the object you'll be able to edit and delete it. In this config because of firewall policy is using port1 I was not able to create a zone with port1.

In your scenario just match the same reference between wan1 and wan2, and once you delete the reference which is causing this behavior you'll be able to call the interface in the zone. Generally it always firewall policy.

vsahu_3-1662209577935.png

 

 

Regards,
Vishal
3030
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-03-2022 10:36 AM

Most likely your usage of wan1 is the same with Vishal's. At least one policy is using it with a default static route or more. Zone can be used only in policies, not for routing. So if you don't see wan1 in the candidate of the members of a zone, it has to be a policy or policies using it.

 

As Vishal's screen shot, the number on the policy after the name (DNS) is the policy ID. You can find it after you add "ID" in the table setting of Firewall policy page.

Toshi_Esumi_0-1662226419311.png


Or, if you've chosen (it's by default) Interface Pair View in the policy page, you should see "wan1" is in the interface pairs.

 

Toshi

3020
ede_pfau
SuperUser
SuperUser

Created on ‎09-04-2022 03:31 AM

and the other 2 references would likely be

- a static (default) route (Network - Static route)

- a DHCP server (Network - interface - DHCP server)

 

The numbers in the "Ref." column are links, i.e. clickable. Follow the links to see which objects they are linked to.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3000
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.