Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mortirolo
New Contributor

Created on ‎04-26-2017 03:56 AM

Cannot create Zone with same name as Physical port

I would like to create a zone called "dmz", my FG100D will not let me as it conflicts with a "duplicate" name dmz under physical ports. I changed the Switch mode to physical. Is this possible to rename the physical port to stop this Zone naming conflict.

 

100D # conf vdom 100D (vdom) # edit V1 current vf=V1:2 100D (V1) # config system zone 100D (zone) # edit name    Zone name. intranet 100D (zone) # edit dmz the name "dmz" conflicts with a system interface of the same name node_check_object fail! for name dmz value parse error before 'dmz' Command fail. Return code -553 100D (zone) #

100D # conf glo 100D (global) # conf sys int 100D (interface) # edit dmz   static   0.0.0.0 0.0.0.0  down   disable   physical ha1   static   0.0.0.0 0.0.0.0  up   disable   physical ha2   static   0.0.0.0 0.0.0.0  up   disable   physical

7044
0 Kudos
3 REPLIES 3
Kenundrum
Contributor III

Created on ‎04-26-2017 05:53 AM

No I don't think it's possible to rename the physical ports. I use zones a lot in order to abstract the physical and logical connections- if a change to the physical connections on a device becomes necessary, i don't have to completely rework the ruleset. 

What i do is name the different interface items with a suffix for what it is. For example, there's the physical interface DMZ as well as DMZ_VLAN and DMZ_ZONE. That is probably your best bet.

CISSP, NSE4

 

CISSP, NSE4
3539
0 Kudos
mortirolo
New Contributor
In response to Kenundrum

Created on ‎04-26-2017 07:47 AM

yeah there doesn't seem to be anyway of changing a physical port name. I speak to our Fortigate expert in Nice, France every week, will find out for sure form him I hope.

 

 

3539
0 Kudos
emnoc
Esteemed Contributor III
In response to mortirolo

Created on ‎04-26-2017 08:55 AM

No you can't craft a interface or zone using any "hard" names

 

That means you can't craft a interface named port1 or lan 

 

or a zone name port1 or port2

 

What you might do is if you  ultimately have to have  "DMZ"  is to look at case sensistively;

 

e.g

FGTFW01 (root) # config system zone 

 

FGTFW01 (zone) # show

 

FGTFW01 (zone) # edit PORT1

new entry 'PORT1' added

 

FGTFW01 (PORT1) # show

config system zone

    edit "PORT1"

    next

end

 

FGTFW01 (PORT1) # next 

 

FGTFW01 (zone) # edit port1

the name "port1" conflicts with a system interface of the same name

node_check_object fail! for name port1

 

value parse error before 'port1'

Command fail. Return code -553

 

 

 

I would caution NOT TODO THIS and take  the other ken's advice b4 me ;) Here's why

 

A: let's say you have a firewall with no DMZ interface defined

B: you managed to  craft a  zone named "DMZ"

C:  you later change to a model that has a "DMZ" interface

D: your  zone named "DMZ"  will conflict with the interface name

 

 

It's better just to name the zone with an extension  or prefix

 

e.g

 

ZONADMZ

DMZ_ZONE

ZONE_DMZ

Z_DMZ

DMZ_Z

etc........

 

 

YMMV

 

Ken 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3539
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.