Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwa
New Contributor

VLAN in Zone disables GUI editing of parent interface

We have a configuration running on 5.4.9 on a 100E with networks on physical ports and VLANs like this:

+-----------+ 
| port1     | 10.0.0.1/24
+-----------+
      |   +-----------+
      +-->| vlan1     | 10.0.1.1/24
          +-----------+
+-----------+
| port2     | 10.0.2.1/24
+-----------+

 

I would like to create a zone that includes vlan1 and port2 (but not port1) as these two should have identical policies applied to them.

I can create this zone, but as soon as I include vlan1 the GUI shows it in the Zone segment of the interfaces view as you would expect, but it is still shown as a child of port1. However, port1 is greyed out and disabled (I assume b/c it is not part of this zone). I can no longer open the view of port1 for editing, turning the port down, etc....

If I create a second vlan2 as a child of port1 and add only one of the vlans to the zone then port1 appears both in the zone section and the physical section with the latter able to be edited/disabled/etc....

Am I misunderstanding zones or doing something wrong here? I have made edits in the CLI that work, so this seems like perhaps a bug.  Does anyone know if later releases display this issue (particularly 5.4.11)?

Thank you.

6 REPLIES 6
tanr
Valued Contributor II

I've seen the same thing in 5.6.x and I believe 6.0.x.  I too have used the CLI to edit the parent port.  Would be nice to see an official response about this.

rwa
New Contributor

Thanks for the confirmation.  I'll see if support will confirm anything.

Toshi_Esumi
SuperUser
SuperUser

By the way, you need to remember when you eventually upgrade it to 5.6.x, until 5.6.6 those zone members (child vlan subinterfaces) would be thrown out from the zone when you upgrade it due to a bug. Make sure choosing one of upgrade paths that skips all earlier versions of 5.6. I've learned it in a hard way.

rwa

Thank you for that too.  That would have taken hours to figure out.

boneyard
Valued Contributor

to be honest i would not do this to start with.

 

leave the interface on which you create the VLANs without IPs. using the access / untagged VLAN like this feels odd to me.

 

i know it works, but when i see this it always feel a little icky to me.

rwa
New Contributor

Thanks, this became obvious researching examples of this.  Unfortunately this network is set up and in use, but I think we will do it as you suggest for new installations.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors