We have a configuration running on 5.4.9 on a 100E with networks on physical ports and VLANs like this:
+-----------+
| port1 | 10.0.0.1/24
+-----------+
| +-----------+
+-->| vlan1 | 10.0.1.1/24
+-----------+
+-----------+
| port2 | 10.0.2.1/24
+-----------+
I would like to create a zone that includes vlan1 and port2 (but not port1) as these two should have identical policies applied to them.
I can create this zone, but as soon as I include vlan1 the GUI shows it in the Zone segment of the interfaces view as you would expect, but it is still shown as a child of port1. However, port1 is greyed out and disabled (I assume b/c it is not part of this zone). I can no longer open the view of port1 for editing, turning the port down, etc....
If I create a second vlan2 as a child of port1 and add only one of the vlans to the zone then port1 appears both in the zone section and the physical section with the latter able to be edited/disabled/etc....
Am I misunderstanding zones or doing something wrong here? I have made edits in the CLI that work, so this seems like perhaps a bug. Does anyone know if later releases display this issue (particularly 5.4.11)?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I've seen the same thing in 5.6.x and I believe 6.0.x. I too have used the CLI to edit the parent port. Would be nice to see an official response about this.
Thanks for the confirmation. I'll see if support will confirm anything.
By the way, you need to remember when you eventually upgrade it to 5.6.x, until 5.6.6 those zone members (child vlan subinterfaces) would be thrown out from the zone when you upgrade it due to a bug. Make sure choosing one of upgrade paths that skips all earlier versions of 5.6. I've learned it in a hard way.
Thank you for that too. That would have taken hours to figure out.
to be honest i would not do this to start with.
leave the interface on which you create the VLANs without IPs. using the access / untagged VLAN like this feels odd to me.
i know it works, but when i see this it always feel a little icky to me.
Thanks, this became obvious researching examples of this. Unfortunately this network is set up and in use, but I think we will do it as you suggest for new installations.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.