Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
skogaren
New Contributor

Created on ‎12-07-2019 02:38 AM

Add interface in existing firewall ruleset

Hello,

Currently our Fortigate 500E has many vlan interfaces.

The vlan interfaces are divided into zones in the firewall ruleset, for example:

ZONE-CLIENT - vlan interface/subnet where we have the internal PC clients.

ZONE-SERVER - vlan interface/subnet where we have the internal servers.

Here's an example of firewall rule and who it looks in the cli of the Fortigate.

SOURCE 192.168.1.0/24

DESTINATION 192.168.10.100,192.168.10.101

PROTOCOL/PORT TCP/80

---

config firewall policy edit 25 set name "CLIENT HTTP TRAFFIC" set srcintf "ZONE_CLIENT" set dstintf "ZONE_SERVER" set srcaddr "ADDR_NET_192.168.1.0" set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101" set action accept set schedule "always" set service "HTTP" next end

---

We are in the process of migrating routing from the Fortigate firewall to a Cisco core switch. The Fortigate will still be used as a firewall and the vlan interface with corresponding ip ranges will be created in the new core switch.

 

We have created a vlan interface on the core switch and Fortinet to use as a link-net between the core switch and firewall.

 

Can I add the new vlan interface as the incoming interface and can it co-exist with the same zone?

 

Like this?

---

config firewall policy edit 25 set name "CLIENT HTTP TRAFFIC" set srcintf "ZONE_CLIENT,INTERFACE-LINKNET" set dstintf "ZONE_SERVER" set srcaddr "ADDR_NET_192.168.1.0" set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101" set action accept set schedule "always" set service "HTTP" next end

---

Or do I have to create a zone for that link-net and build a copy of the existing firewall ruleset?

 

Kind regards,

 

4908
0 Kudos
3 Solutions
Toshi_Esumi
SuperUser
SuperUser
In response to skogaren

Created on ‎12-08-2019 10:19 AM

If you have that many policies to migrate to the new circuit, I don't recommend using GUI. Just dump the policies into a text editor, replace the zone name with the new interface name, then change all "edit N" to "edit 0". Then paste them back into "config firewall policy".

View solution in original post

3322
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to skogaren

Created on ‎12-08-2019 10:56 AM

You said to create a new VLAN interface for the new policies. And it's not in the current zone. So it's up to the Cisco L3 switch routing which interface the client traffic is routed toward. It can't be on the both zone and the interface at the same time. So it would hit only one side of policy sets at a time.

View solution in original post

3322
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-08-2019 11:13 AM

In other words, if [srcintf AND dstintf] don't match with the traffic, FGTs wouldn't even look up the rest of the policies. Only matching ones would affect to the traffic. Just create a new 100+ policy and test them. Then when you confirmed working, you can delete all 100+ old config.

By the way, the new policy IDs would be much higher unless some lower IDs don't exist now because you deleted them in the past. That's the reason you should use only "edit 0" to create new policies in order to let the FGT figure out available policy IDs itself.

View solution in original post

3322
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-07-2019 11:25 AM

You can try it to see the effect. It would break "Interface Pair View" in policy GUI then show them as "By Sequence". You can always go back if you didn't like it.

To me, creating a new policy with the new interface is much easier in the next step: just "del 25" in the policies.

3269
0 Kudos
skogaren
New Contributor
In response to Toshi_Esumi

Created on ‎12-07-2019 09:47 PM

OK, I agree that it is better to create a new policy. I am new at Fortigate but I think that I would first clone the existing rule and then edit it and replace the zone with the interface?

 

There is about 100 policies that need to be edited so any tips is gladly appreciate.

 

Kind regards,

3269
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to skogaren

Created on ‎12-08-2019 10:19 AM

If you have that many policies to migrate to the new circuit, I don't recommend using GUI. Just dump the policies into a text editor, replace the zone name with the new interface name, then change all "edit N" to "edit 0". Then paste them back into "config firewall policy".

3323
0 Kudos
skogaren
New Contributor
In response to Toshi_Esumi

Created on ‎12-08-2019 10:38 AM

Thanks for the respond!

 

I will go about as you suggested!

 

I have an additional question regarding zones. For example:

 

Will the traffic be dropped if we move both the client and modify the rule with the new interface but keep the zone as destination-interface?

 

Will the Fortigate only look at the destination ip address? 

 

config firewall policy edit 25 set name "CLIENT HTTP TRAFFIC" set srcintf "INTERFACE-LINKNET" set dstintf "ZONE_SERVER" set srcaddr "ADDR_NET_192.168.1.0" set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101" set action accept set schedule "always" set service "HTTP" next end

3269
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to skogaren

Created on ‎12-08-2019 10:56 AM

You said to create a new VLAN interface for the new policies. And it's not in the current zone. So it's up to the Cisco L3 switch routing which interface the client traffic is routed toward. It can't be on the both zone and the interface at the same time. So it would hit only one side of policy sets at a time.

3323
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-08-2019 11:13 AM

In other words, if [srcintf AND dstintf] don't match with the traffic, FGTs wouldn't even look up the rest of the policies. Only matching ones would affect to the traffic. Just create a new 100+ policy and test them. Then when you confirmed working, you can delete all 100+ old config.

By the way, the new policy IDs would be much higher unless some lower IDs don't exist now because you deleted them in the past. That's the reason you should use only "edit 0" to create new policies in order to let the FGT figure out available policy IDs itself.

3323
0 Kudos
skogaren
New Contributor
In response to Toshi_Esumi

Created on ‎12-08-2019 11:26 AM

Thanks for the clarification and for your input. I will try to create the new policies and test it.

 

Kind regards,

3269
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.