Dear All,
I try to make a policy in which one of the interface is a zone member, but I can not choose that from the interface list. It seems the zone members can not be used separately. Some interface has common rules, while in addition to those there are rules that specific only for one interface. Is there any hack for this? Thank you
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question.
In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.
You will either need to remove that interface from the zone (thus requiring additional policies), or use src/dst address to effectively filter the actual use of that rule to the interface in question.
In other words if the zone includes Int_A, Int_B, and Int_C with subnets of 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively, you can define the rule to allow (or block, or whatever) only traffic from 10.1.2.0/24 to effectively apply this to Int_B without applying it to Int_A and Int_C even though you have the zone selected as the source interface.
Using a policy with interfaces "zone" to "zone" and filtering by address is not uncommon when you use zones - assuming intrazone traffic is blocked. If you compare it to a regular policy, traffic in those is selected/filtered by address as well. So, no reason not to use this setup, it's valid and safe.
Thank you for your answers!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.