Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

Created on ‎12-05-2023 07:40 PM

Getting SubInterfaces To Go to Internet

If i need a firewall rule to allow the vlan on the subinterfaces to go to the internet, do I have to configure every single subinterface or do I just put the main interface only? 

Labels:
1019
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-05-2023 09:43 PM Edited on ‎12-05-2023 09:44 PM

Each subinterface is just an interface from FGT's perspective. You need to have a policy for each VLAN to allow internet unless you bind some or all into a zone(s). But once you put them in a zone, you can't specify each member VLAN for policies any more.

 

Toshi

998
rosatechnocrat
Contributor II

Created on ‎12-06-2023 12:12 AM Edited on ‎12-06-2023 12:13 AM

You need Firewall rule from all subinterface towards outside interface. 

 

The other workaround for this can be you can create Zone and assign all subinterfaces in the zone. Then you just need a single policy from Zone to Zone.  For more information about zone you can visit Fortinet documentation. Zone option is available under interfaces. 

zone.PNG

Rosa Technocrat --

Also on YouTube---

Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
991
0 Kudos
ronmar
Staff
Staff

Created on ‎12-06-2023 12:27 AM Edited on ‎12-06-2023 12:53 AM

The subinterfaces of the FortiGate is treated as an individual interfaces of FortiGate,

 

It means that you need to create a Firewall policy on each subinterface to be able to allow the traffic to the internet.

 

You can have 3 options to do that.

 

1st option: To create a separate Firewall policy for each subinterfaces.

 

2nd option: To create a Firewall policy with multiple Interfaces and IP Source then select the subinterfaces as source interface.

 

Note: You need to enable multiple interfaces on a Firewall policy before you can do this.

To enable Multiple Interface Policies:

System --> Feature Visibility --> Enable Multiple Interface Policies.

 

Then you can now create a firewall policy with multiple source interfaces.

 

3rd Option: Is to create a zone that includes those subinterfaces as members.

Then you can use this zone as a source interface on the Firewall policy.

 

For reference: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/116821/zone

 

Regards,

Ronmar

 

Ronmar Galvez
988
princes
Staff
Staff

Created on ‎12-06-2023 01:25 AM

Hi ,

 

It depends on you, if your downstream switches have multiple Vlans configured and you just have a reverse route pointed towards the SW on Fortigate,,,in this case you can simply create a rule with your physical interfaces.

 

And if you have vlans on fortigate and you have different gateways pointing towards your SW you may need to create seperate policies ( better if different level of accesses required for each vlan).

 

Or the other option would be as mentioned above by few colleagues to use a zone and put the interfaces there .(helpful is all vlans require same level of access).

 

Thank you.

EMEA TAC

977
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.