Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

Created on ‎12-04-2023 12:03 AM

Source Interface Selection

Hi

 

I have port1 (LAN) and created 10 sub-interfaces for Vlans. So in Source interface selection box on all fortigate configuration, should I select Port1 or should I select Vlan interfaces?

Reza F.
Reza F.
Labels:
636
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to rezafathi

Created on ‎12-04-2023 04:42 AM

Hey rezafathi,

you have multiple options:
- you can add all 10 vlans to a zone (but then you can only use the zone interface for policies)

- you can create 10 policies, one for each VLAN

- you can enable 'Multiple Interface Policy' under System > Feature Select to allow adding more than one source interface in a policy

-> please note that this will disable the interface-based view in GUI! Policies will no longer be sorted by source/destination interface, but instead by their configured order only.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

592
6 REPLIES 6
mhemambika
Staff
Staff

Created on ‎12-04-2023 02:04 AM

Dear Rezafathi,

when you create VLAN interface on the firewall, VLAN interfaces will be becoming your logical interfaces for policy inspection, so in the source interface section of firewall policy, you will need to select the VLAN interfaces in order to control the traffic(received on the VLAN interface) based on firewall policy.

 

Hope this helps!

 

 

613
rezafathi
Contributor II
In response to mhemambika

Created on ‎12-04-2023 02:11 AM

Thanks. in firewall policy I can only select one incoming interface but multiple sources. So if i want to give 10 vlans internet access what should I do?

Reza F.
Reza F.
609
0 Kudos
Debbie_FTNT
Staff
Staff
In response to rezafathi

Created on ‎12-04-2023 04:42 AM

Hey rezafathi,

you have multiple options:
- you can add all 10 vlans to a zone (but then you can only use the zone interface for policies)

- you can create 10 policies, one for each VLAN

- you can enable 'Multiple Interface Policy' under System > Feature Select to allow adding more than one source interface in a policy

-> please note that this will disable the interface-based view in GUI! Policies will no longer be sorted by source/destination interface, but instead by their configured order only.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
593
rezafathi
Contributor II
In response to Debbie_FTNT

Created on ‎12-04-2023 08:42 PM

Thanks. I think the last option is reliable. is that right?

Reza F.
Reza F.
572
0 Kudos
kcheng
Staff
Staff
In response to rezafathi

Created on ‎12-04-2023 08:47 PM

Hi @rezafathi 

 

The respective would also depends on the services that you permit in the firewall policy. It will ease your management if all of the VLANs have the same privilege and access to the Internet. It also make your firewall policy cleaner (1 vs 10). The only draw back is that you can only view your firewall policy in sequence view. 

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
570
mle2802
Staff
Staff

Created on ‎12-04-2023 06:34 AM

Hi @rezafathi,
It depends where traffic comes from. You can use sniffer to see incoming interface and use it as source interface. To sniff traffic, use this command " diag sniffer packet any "host X.X.X.X" 4 0 l ".

Regards,
Minh

583
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.