Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Fortigate WAN settings

This is a Fortigate 80F in mid-stages of configuration.

In Network/Interfaces, I see:

LAN(1) Internal Hardware Switch    Type Hardware Switch  Members Internal-1>Internal-6 

Internal-1 has an IP/Netmask which I presume applies to 1-6.

WAN(2) has

FGWAN1(wan1)  Physical Interface with an IP address

wan1                     Physical interface with 00.0.0./0.0.0.0

 

Now, I am planning to set up a 2nd WAN interface but not yet.

In the meantime, I want to set up an EXTERNAL ZONE with wan1 and wan2 but only wan2 is available it seems.   <<<So that's really the issue.

In the end, I should think there would be:

wan1 with an IP address

wan2 with a separate IP address

and an EXTERNAL ZONE with both of them in the zone.

 

 

Fred Marshall
Fred Marshall
2 Solutions
vsahu
Staff
Staff

Hello Fred,


Go to Network >> Interface and click on the reference number for wan 1

vsahu_0-1662209473408.png

You'll be able to see something like below, once you select the object you'll be able to edit and delete it. In this config because of firewall policy is using port1 I was not able to create a zone with port1.

In your scenario just match the same reference between wan1 and wan2, and once you delete the reference which is causing this behavior you'll be able to call the interface in the zone. Generally it always firewall policy.

vsahu_3-1662209577935.png

 

 

Regards,
Vishal

View solution in original post

Toshi_Esumi
Esteemed Contributor III

Most likely your usage of wan1 is the same with Vishal's. At least one policy is using it with a default static route or more. Zone can be used only in policies, not for routing. So if you don't see wan1 in the candidate of the members of a zone, it has to be a policy or policies using it.

 

As Vishal's screen shot, the number on the policy after the name (DNS) is the policy ID. You can find it after you add "ID" in the table setting of Firewall policy page.

Toshi_Esumi_0-1662226419311.png


Or, if you've chosen (it's by default) Interface Pair View in the policy page, you should see "wan1" is in the interface pairs.

 

Toshi

View solution in original post

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

Probably because the default policy #1 is using wan1 already. Just remove the policy.

 

Toshi

fred339
Contributor

I don't find anything like that.....

Fred Marshall
Fred Marshall
Toshi_Esumi
Esteemed Contributor III

That's very unusual if you've gotten a brand-new 80F and started configuring it at the first time. Are you sure Policy & Objects->Firewall Policy is empty? Or none of them you created is using wan1?

Then what do you see at the end of row "wan1" under Network->interfaces page? There should be "Ref." column showing the number of references. Is it '0'? I'm almost sure it's NOT '0'.

 

Toshi

fred339
Contributor

It's not brand-new.  

Thanks for the pointers re: how to find this.

In Network/Interfaces I see "3" under Ref. for wan1
If I open the "3", then I see 3 entries each with Ref = 0 and no more information there.
So, I feel like I'm getting somewhere but haven't arrived yet.

Thanks!

..I do have an IP assigned to wan1 but that wouldn't seem to me to affect Zone definition.

Would it?

Fred Marshall
Fred Marshall
vsahu
Staff
Staff

Hello Fred,


Go to Network >> Interface and click on the reference number for wan 1

vsahu_0-1662209473408.png

You'll be able to see something like below, once you select the object you'll be able to edit and delete it. In this config because of firewall policy is using port1 I was not able to create a zone with port1.

In your scenario just match the same reference between wan1 and wan2, and once you delete the reference which is causing this behavior you'll be able to call the interface in the zone. Generally it always firewall policy.

vsahu_3-1662209577935.png

 

 

Regards,
Vishal
Toshi_Esumi
Esteemed Contributor III

Most likely your usage of wan1 is the same with Vishal's. At least one policy is using it with a default static route or more. Zone can be used only in policies, not for routing. So if you don't see wan1 in the candidate of the members of a zone, it has to be a policy or policies using it.

 

As Vishal's screen shot, the number on the policy after the name (DNS) is the policy ID. You can find it after you add "ID" in the table setting of Firewall policy page.

Toshi_Esumi_0-1662226419311.png


Or, if you've chosen (it's by default) Interface Pair View in the policy page, you should see "wan1" is in the interface pairs.

 

Toshi

ede_pfau
Esteemed Contributor III

and the other 2 references would likely be

- a static (default) route (Network - Static route)

- a DHCP server (Network - interface - DHCP server)

 

The numbers in the "Ref." column are links, i.e. clickable. Follow the links to see which objects they are linked to.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors