Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Willem_K_63
New Contributor

Created on ‎01-31-2025 08:22 AM

Normalized interface question.

LS,


I have 2 questions with regards to Fortimanager and normalized interfaces.

1. Is it possible, or will it be possible, to map 2 (or more) interfaces in the device mapping to 1 normalized interface. Example, VOICE (SSID) and VOICE (VLAN) interfaces being mapped in the Device Mapping to the normalized interface "Voice"

 

2. Assume I have a normalized interface Voice-ssid with in the device mapping all the fortigates(ssid) with an Voice SSID interface. I also have a normalized interface Voice-vlan with in the device mapping all the fortigates(vlan) with an Voice VLAN interface.
Note that Fortigates(ssid) is not equal to fortigates(vlan).
Some fortigates have only Voice-ssid, Some have Voice-vlan and some have both.

My question is, can a policy-block where "incoming interface" has both the "Voice-ssid" and "Voice-vlan" applied on all the fortigates in my estate?


Labels:
531
0 Kudos
8 REPLIES 8
funkylicious
SuperUser
SuperUser

Created on ‎01-31-2025 08:28 AM Edited on ‎01-31-2025 08:32 AM

1. yes, you can map multiple interfaces to a single normalized interface

when you create the normalized interface, let's call it VOICE you can edit it and in it you can do per-device mapping and then select the device/FortiGate and interfaces that would be used when it's referenced.

then you can create a firewall rule using the normalized interface as incoming and push it to the FGTs and each one with have their specific interface in the rule visible locally on it.

 

ex, I created a normalized interface called VOICE and then assigned port3 from each device in the list. then I created a firewall rule referencing the normalized interface as source and then a push to the gates will do the trick:

Screenshot 2025-01-31 at 18.29.24.png

 

Screenshot 2025-01-31 at 18.29.47.png

 

Screenshot 2025-01-31 at 18.30.33.png

"jack of all trades, master of none"
"jack of all trades, master of none"
527
dingjerry_FTNT
Staff
Staff

Created on ‎01-31-2025 12:21 PM

Hi @Willem_K_63 , 

 

For the first question, when different real interfaces point to the same normalized interface, it will create dynamic mapping.

Regards,

Jerry
492
Willem_K_63
New Contributor
In response to dingjerry_FTNT

Created on ‎02-03-2025 01:32 AM

Hmm.. with regards to my first question, I perhaps did not express myself clearly enough.
Is it possible to map 2 different interfaces, VOICE (SSID) and VOICE (VLAN), from 1 fortigate into 1 single normalized interface "Voice"?
We are using FortiManager 7.2.8.

@funkyliciousthanks for your quick response.
I do understand how the device mapping works and how they should be used in a policy.
I'm having some discussion with our integrator who claims that "a policy-block where "incoming interface" has both the "Voice-ssid" and "Voice-vlan" applied on all the fortigates in my estate" will not work.
Keep in mind that Fortigates(ssid) is not equal to fortigates(vlan) and some fortigates have only Voice-ssid, Some have Voice-vlan and some have both.
The reason for reaching out is that I have my doubts about the integrators statement.

460
0 Kudos
Willem_K_63
New Contributor
In response to Willem_K_63

Created on ‎02-21-2025 11:39 AM

With regards to my first question, 2 different interfaces on 1 fortigate being mapped to 1 normalized interface apparently is not possible.
When you do the device mapping it is not possible to select 2 interfaces on one fortigate.

 

With regards to the second question:
If a "normalized interface name" is not available on a fortigate the installation will fail.

So that does not work either. With 7.4. FMG you are able to solve this with additional policies and selecting an installation target.

Thanks for all the feedback.

370
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Willem_K_63

Created on ‎02-21-2025 11:48 AM

Hi @Willem_K_63 ,

 

Regarding the first question, no, you can't map 2 different real interfaces to one normalized interface on the same FGT. 

 

When you use the normalized interface in configuration,  FMG does not know which real interface needs to apply.

Regards,

Jerry
365
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-21-2025 01:08 PM Edited on ‎02-21-2025 01:08 PM

I think, only I think, you @Willem_K_63 want No.1 because you want to apply the same policy to either or both of "VOICE" interface, regardless it's wired VLAN and/or WiFi SSID. Am I wrong?
Then, if that's the case, the best/smart option wouldn't be doing it at the FMG, but setting up a zone to include all VOICE related interfaces, so that you don't need separate policies for each interface.

Toshi

350
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎02-25-2025 07:12 AM

I understood you have several FGT in FMG some of which have two voice interfaces and some have only one. 

One solution is to create an interface zone on every of your Fortigates and add those interface(s) to it and then map that to one normalized interface. Then FMG will deploy the corrsponding zone to the Fortigates and that zone could have just one member or more. That should cope your requirements if i got them correctly.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
316
0 Kudos
Willem_K_63
New Contributor

Created on ‎02-25-2025 07:56 AM

@sw2090 @Toshi_Esumi Thanks for the feedback. That was indeed an option mentioned by our MSP. We decided not to do this, honestly, I do not recall the reason. :(
@dingjerry_FTNT Thanks for the feedback. I believe I have got the point. Thanks.

307
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.