Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Getting SubInterfaces To Go to Internet

If i need a firewall rule to allow the vlan on the subinterfaces to go to the internet, do I have to configure every single subinterface or do I just put the main interface only? 


Each subinterface is just an interface from FGT's perspective. You need to have a policy for each VLAN to allow internet unless you bind some or all into a zone(s). But once you put them in a zone, you can't specify each member VLAN for policies any more.



Contributor II

You need Firewall rule from all subinterface towards outside interface. 


The other workaround for this can be you can create Zone and assign all subinterfaces in the zone. Then you just need a single policy from Zone to Zone.  For more information about zone you can visit Fortinet documentation. Zone option is available under interfaces. 


Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe

The subinterfaces of the FortiGate is treated as an individual interfaces of FortiGate,


It means that you need to create a Firewall policy on each subinterface to be able to allow the traffic to the internet.


You can have 3 options to do that.


1st option: To create a separate Firewall policy for each subinterfaces.


2nd option: To create a Firewall policy with multiple Interfaces and IP Source then select the subinterfaces as source interface.


Note: You need to enable multiple interfaces on a Firewall policy before you can do this.

To enable Multiple Interface Policies:

System --> Feature Visibility --> Enable Multiple Interface Policies.


Then you can now create a firewall policy with multiple source interfaces.


3rd Option: Is to create a zone that includes those subinterfaces as members.

Then you can use this zone as a source interface on the Firewall policy.


For reference:





Ronmar Galvez

Hi ,


It depends on you, if your downstream switches have multiple Vlans configured and you just have a reverse route pointed towards the SW on Fortigate,,,in this case you can simply create a rule with your physical interfaces.


And if you have vlans on fortigate and you have different gateways pointing towards your SW you may need to create seperate policies ( better if different level of accesses required for each vlan).


Or the other option would be as mentioned above by few colleagues to use a zone and put the interfaces there .(helpful is all vlans require same level of access).


Thank you.



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors