Switch back to Interface policys instead of Zone based

Maikel · ‎05-17-2018

Hi all,

Due to too many issues (Fortinet was not able to solve) with FSSO we where not able to upgrade our Fortimanager (it was not accepting our FSSO configuration). Long story short we quit using Fortimanager and started to manage our Clusters individual, but due to the use of FM we have Zones configured. I want to quit using these Zones to and use the Fysical and VLAN interfaces as Zones only make my config more complex and badly readable. Having said this, my 92D clusters are located abroad (in the US and in Asia) and all my VPN routers are behind my Fortigates.

Is there a way to remove the Zones without affecting the Policy and thus loosing (VPN) connectivity on my 92D clusters ? Any thoughts opinions and or experiences are more than welcome.

Toshi_Esumi · ‎05-17-2018

You're current zones likely include the interface to reach the vpn router. What I would consider as options in situation like yours are:

a) allow direct admin access to the 92D on the outside interface temporarily only from your source address. So that you don't have to rely on a VPN while you're reconstructing policies.

b) terminate a new vpn at 92D and set a new set of policies without using existing zones.

emnoc · ‎05-17-2018

You should be able to remove the interface(s) from the zone and then apply the policies to the interfaces, going from interface-policy to zone does REQUIRE you to unbind exiting firewall.policy, but undoing it is much friendly

NOTE: ( maybe Ede will chime in ), you can't have a zone with no interface iirc , so if you want to unbind the zone-policy, craft some dummmy loopback-interfacs using ipv4 address from the test NET01/NET02 and install them in the zone;

e.g

config sys int

edit dummy1

set subnet 192.0.2.1/32

set type loop

set vdom root

set subnet 192.0.2.2/32

set type loop

set vdom root

config sys zone

edit external

set interface dummy1

set interface dummy2

end

Do this for EACH zone, This will allow you to keep the zone up while you move things in and out and around YMMV ;)

PCNSE

NSE

StrongSwan

localhost · ‎05-17-2018

You might also consider to just modify the config file manually (search zone name/replace with interface name) and reupload it.

Just make sure, you allow external access to do a rollback if things go sideways.

ede_pfau · ‎05-17-2018

chime, chime...

I would support all of these ideas:

- make sure you have WAN admin access via HTTPS and SSH, temporarily

- create dummy loopback interfaces to stuff the zones

- OR, depending on the number of policies, get a current backup and rewrite it offline, restore and reboot

as I would rewrite 5-10 policies inplace but not 50.

BTW, we all love FMG.

Ede Kernel panic: Aiee, killing interrupt handler!

emnoc · ‎05-17-2018

BTW, we all love FMG.

haha , FMG is good when it works, it's the devil when it flares up

PCNSE

NSE

StrongSwan

Maikel · ‎05-18-2018

ede_pfau wrote:
BTW, we all love FMG.

Euhm .. it has givin' us only issues and a lot of BS which Fortinet never was able to solve, so let's agree to disagree on this one

All thanks for the idea's, my remote clusters are fairly simple policies (less than 35 rules) so I might consider to do the backup /rewrite option here.

My main cluster is at my HQ where I work so other than getting a decent maintenance window this is covered too.

Switch back to Interface policys instead of Zone based

Nominate a Forum Post for Knowledge Article Creation