Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marypoppins
New Contributor II

Created on ‎07-28-2021 07:02 AM

Policy for zone members

Dear All,

 

I try to make a policy in which one of the interface is a zone member, but I can not choose that from the interface list. It seems the zone members can not be used separately. Some interface has common rules, while in addition to those there are rules that specific only for one interface. Is there any hack for this? Thank you

Labels:
3504
0 Kudos
1 Solution
lobstercreed
Valued Contributor

Created on ‎07-30-2021 12:23 PM

You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question. 

 

In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.

View solution in original post

2742
0 Kudos
3 REPLIES 3
lobstercreed
Valued Contributor

Created on ‎07-30-2021 12:23 PM

You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question. 

 

In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.

2743
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to lobstercreed

Created on ‎07-31-2021 04:09 PM

Using a policy with interfaces "zone" to "zone" and filtering by address is not uncommon when you use zones - assuming intrazone traffic is blocked. If you compare it to a regular policy, traffic in those is selected/filtered by address as well. So, no reason not to use this setup, it's valid and safe.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2707
0 Kudos
marypoppins
New Contributor II
In response to lobstercreed

Created on ‎08-13-2021 01:24 AM

Thank you for your answers!

2707
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.