Hi
I have port1 (LAN) and created 10 sub-interfaces for Vlans. So in Source interface selection box on all fortigate configuration, should I select Port1 or should I select Vlan interfaces?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey rezafathi,
you have multiple options:
- you can add all 10 vlans to a zone (but then you can only use the zone interface for policies)
- you can create 10 policies, one for each VLAN
- you can enable 'Multiple Interface Policy' under System > Feature Select to allow adding more than one source interface in a policy
-> please note that this will disable the interface-based view in GUI! Policies will no longer be sorted by source/destination interface, but instead by their configured order only.
Dear Rezafathi,
when you create VLAN interface on the firewall, VLAN interfaces will be becoming your logical interfaces for policy inspection, so in the source interface section of firewall policy, you will need to select the VLAN interfaces in order to control the traffic(received on the VLAN interface) based on firewall policy.
Hope this helps!
Thanks. in firewall policy I can only select one incoming interface but multiple sources. So if i want to give 10 vlans internet access what should I do?
Hey rezafathi,
you have multiple options:
- you can add all 10 vlans to a zone (but then you can only use the zone interface for policies)
- you can create 10 policies, one for each VLAN
- you can enable 'Multiple Interface Policy' under System > Feature Select to allow adding more than one source interface in a policy
-> please note that this will disable the interface-based view in GUI! Policies will no longer be sorted by source/destination interface, but instead by their configured order only.
Thanks. I think the last option is reliable. is that right?
Hi @rezafathi
The respective would also depends on the services that you permit in the firewall policy. It will ease your management if all of the VLANs have the same privilege and access to the Internet. It also make your firewall policy cleaner (1 vs 10). The only draw back is that you can only view your firewall policy in sequence view.
Hi @rezafathi,
It depends where traffic comes from. You can use sniffer to see incoming interface and use it as source interface. To sniff traffic, use this command " diag sniffer packet any "host X.X.X.X" 4 0 l ".
Regards,
Minh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.