I'm new to Fortigate and am trying to mirror a setup that we've successfully deployed across hundreds of firewalls from from a couple different vendors. We spoke with support regarding this, but my level of confidence in the conversation is low, so i'd like to run it the forum for a second opinion...
We have "spoke" locations that terminate tunnels to two "hub" locations, one primary and one backup.
We'd typically build route based tunnels and put VPN_1 and VPN_2 into the same zone (VPN) our firewall policies and address objects would then be based on the LAN and VPN zones:
LAN > VPN
VPN > LAN
The support tech we spoke with, suggested that a fortigate will not support the above setup (that we cannot group VPN interfaces into a single zone), which means we'd have to do something like:
LAN > VPN_1
LAN > VPN_2
VPN_1 > LAN
VPN_2 > LAN
The problem is that on many of the firewalls we're looking at, we're talking hundreds, if not thousands, of address objects (including groups) and hundreds of firewall policies that would have to be duplicated.
At the end of the day, I suppose it's not THAT much work to duplicate the configs... we'd just build one config that would be based on VPN_1, then find-replace instances of VPN_1 with VPN_2 (and renumber policies as needed), but that seems like a inefficient process and also one that increases the potential for error.
Can anyone comment regarding the viability of grouping VPN interfaces into the same zone and how to make it work (if it's possible)?
Thank you in advance,
Chris
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What they told you was wrong, you can definitely put VPN interfaces in zones. I've done your setup many times, having a hub with multiple VPNs to different offices, group all the VPN interfaces in a VPN zone and create a policy from lan > VPN and VPN > lan.
Only thing to note is that with interzone traffic (ie: if the two spoke sites want to talk to each other through the hub) you have only two options, to either allow all traffic between them, or deny all traffic between them. If you want more granular control over what the spokes can speak to each other on then you'll need to take them out of the zone and create separate policies.
This is not true. You could block intra-zone traffic and allow only certain traffic inside the zone with policies, for example if you have ZONE-A, use policy with source ZONE-A -> ZONE-A, e.g. control network traffic inside the zone with source and destination fields.
Counldn't you just enable the "Multiple Interface Policies" feature and create your policies with multiple interfaces instead of a single zone?
I have to agreed , what you where told is wrong. You can place dozens if not hundred of "interfaces" including a route-based-Intf in a zone. We do that at my day job for simple and effective fwpolicy managements
PCNSE
NSE
StrongSwan
Thank you all for the feedback... I had a feeling we weren't getting accurate info.
The issue that we ran into, which prompted our calling support was as follows:
- We created 'temp' rules to allow traffic to/from a loopback interface to/from VPN_1 and to/from VPN_2
- The VPNs came up no problem and we were able to ping through.
- We then deleted the policies (had to delete the policies referencing interfaces to add said interfaces to a zone), then added the interfaces to zones, and re-created the policies based on Zones.
- at this point, the tunnels would not come up.
- I left the 'zone based' policies in place and created two new policies: loopback to VPN_1 and loopback to VPN_2
- At this point both tunnels came up, but we noticed warnings on the zone based policies, to the effect of or more zones not having interfaces associated with it.
- That was when we called support...
neonbit wrote:...
Only thing to note is that with interzone traffic (ie: if the two spoke sites want to talk to each other through the hub) you have only two options, to either allow all traffic between them, or deny all traffic between them. If you want more granular control over what the spokes can speak to each other on then you'll need to take them out of the zone and create separate policies.
Does the Fortigate not support intrazone policies? (On some devices we deploy, VPN's terminate to LAN so all of the rules are based on LAN <-> LAN)
jcollazo wrote:Counldn't you just enable the "Multiple Interface Policies" feature and create your policies with multiple interfaces instead of a single zone?
What exactly does that feature do?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.