Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abood
New Contributor

editing policies and create a new zone

Hello,

I have a fortigate unit with firmware v5.4.2,build110, and I have two wan interfaces with too many inside interfaces. I have a policies identical and duplicated and I want decrease this HUGE number of policies by creating a zone for the WAN interfaces and also a new zone for the inside interfaces if possible.

as you know I can't bind interfaces to a new zone since the interfaces are used at policies :(

Q1: what is the best way to do this, i'm thinking to do that a notepad by creating a zone and replace the interfaces with the new zones, is it a good idea? or do you have another way?

Q2: can I create a policy between interfaces within the same zone?

Q3: can we add interface like vlan interfaces within a trunaggregate and physical interface within the same zone?

 

thanks

1 Solution
mahesh_secure
Contributor

Hi 

 

Q1: what is the best way to do this, i'm thinking to do that a notepad by creating a zone and replace the interfaces with the new zones, is it a good idea? or do you have another way?

  ::: yes thats the best way. create a new zone in GUI and add any other port. download the config file. open it in notepad and try search config system zone. in set member add your wan1 and wan2 ports. now go to policy by searching config firewall policy. copy from start to end and past it to a new notepad. now replace all the wan1 and wan2 with zone name. copy and past the replace script to original backup file. after this verify and restore the backup.

 

Q2: can I create a policy between interfaces within the same zone?

 ::: if the interface in same zone why you want to create policy with that???. on zone configuration you can enable and disable intera zone traffic.

 

Q3: can we add interface like vlan interfaces within a trunaggregate and physical interface within the same zone?

 

::: you can add any interface to zone if its not used by any other config. zone can't be used to create vlan and LACP config

 

i have ans with my experience please check and update.

 

 

 

Regards

Mahesh 

 

View solution in original post

2 REPLIES 2
mahesh_secure
Contributor

Hi 

 

Q1: what is the best way to do this, i'm thinking to do that a notepad by creating a zone and replace the interfaces with the new zones, is it a good idea? or do you have another way?

  ::: yes thats the best way. create a new zone in GUI and add any other port. download the config file. open it in notepad and try search config system zone. in set member add your wan1 and wan2 ports. now go to policy by searching config firewall policy. copy from start to end and past it to a new notepad. now replace all the wan1 and wan2 with zone name. copy and past the replace script to original backup file. after this verify and restore the backup.

 

Q2: can I create a policy between interfaces within the same zone?

 ::: if the interface in same zone why you want to create policy with that???. on zone configuration you can enable and disable intera zone traffic.

 

Q3: can we add interface like vlan interfaces within a trunaggregate and physical interface within the same zone?

 

::: you can add any interface to zone if its not used by any other config. zone can't be used to create vlan and LACP config

 

i have ans with my experience please check and update.

 

 

 

Regards

Mahesh 

 

abood

thank you

Labels
Top Kudoed Authors