Zones Will Save Your Sanity

FortiGates are interface driven firewalls. Policy is relatively straight forward. Port 1 to Wan 1 Allow HTTP NAT you get my drift. In more complex environments though where you can easily have 5-10 interfaces (even more if you  bring in VLAN’s) you will most certainly want to use Zones.

What is a zone? A zone is a created “Interface” that you assign other interfaces to. For instance, my common deployment has 2 main zones, INSIDE and OUTSIDE. This keeps policy extremely simple.

The train of thought with this ZONE setup is traffic is either coming in or out. From there you just create the policy and work accordingly. This makes deployments for my clients super easy.

The setup at my house is utilized this way as well (I have a FortiGate 92D at home). My setup is slightly more advanced though thanks to having dual internet connections, SSL VPN, and other capabilities kicked on. But as you can see in the policy set below I have an INSIDE zone. That zone has my work network, my personal home network, and my DMZ wireless network (for when I am cleaning peoples deranged and abused machines). I have each one assigned to the INSIDE zone so that I can apply the same policy for traffic that is traveling from inside sources to the internet. This greatly reduces policy count and helps keep things uniform.

Disclaimer: Make sure to click the “Block Intra-Zone Traffic” check box when creating a zone that includes a set of networks that you don’t want to communicate without policy. For instance, my INSIDE zone has my work network which I need to make sure only my work laptop can see, My personal network which sees everything on the personal net, and a DMZ network that I absolutely don’t want ANY of my other networks to receive traffic from or send traffic to. So I check the “block intra-zone traffic” box when I create my zone (can be edited after the zone is created as well) and then manually allow it via policy (work network is able to access printer on personal net etc). Remember, the more granular you are the better your security will be. Also, the only traffiic that should be able to flow is the traffic you explicitly allow.

Zone Setup FortiGate FortiOS 5.4

Zone Setup FortiGate FortiOS 5.4

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

10 thoughts on “Zones Will Save Your Sanity

  1. Vin

    Hi ,

    Could you let me know whether I can add the policy from and Interface to Zone and wise versa . If so will it work
    ie: Suppose I have 10 site to Site VPN which has been configured as a VPN-Zone and inside network is on port3 of the firewall . If I add a policy source as VPN-Zone and Destination As port3 will it work ?

    Regards
    Vin

    Reply
    1. Mike Post author

      Vin,

      This will work. The Zone is treated like a normal interface. I personally prefer to have all of my interfaces in zones (INSIDE, OUTSIDE, DMZ, VPN) etc as it tends to shrink my policy size (removes repetitive rule sets) and makes things easier to follow for me.

      Reply
  2. rowie

    hi,

    fast firewall config examples welcome! 🙂
    i´ve only device based policies and i´m searching for strong, simple and fast policies.
    i dont´t know whats the best way for it .. 🙁

    br,
    rowie

    Reply
    1. Mike Post author

      I am working on some pretty solid baseline configurations for new FortiGate deployments. I think you guys will love them.

      Reply
  3. BT

    This sounds like a great idea. We are trying to deploy/manage many UTMs with different VIP on different sites but they are basically and “inside” and “outside” and have the same security policy for all of the VIP’s basically.

    We have a fortimanager. Do you think it’s easier to run a script to push and deploy this or is it easier/intuitive enough to do via the GUI on the manager?

    Reply
    1. Mike Post author

      I would definitely practice in a lab with the Manager before you decide to use on production. There is a learning curve involved that can make or break your environment haha. I had an associate that nuked a few enterprises but not being spun up enough on the Manager. One of those, “With great power comes great responsibility” situations!

      Reply
    1. Mike Post author

      I normally perform this in the following manner:
      – Create the zones (IE. INSIDE and OUTSIDE)
      – Duplicate the policies you have but edit them to use these zones (fastest way is to backup the config, open it, cut out the policies and perform some “search and replace” for the interface variables to change “wan1” to “OUTSIDE” etc) then copy and paste that section into putty while ssh’d in to the firewall policy edit area.
      – Plan downtime and then remove all existing policies that use the interfaces directly
      – Associate the interfaces to the new appropriate zones and test

      Reply

Leave a Reply to BT Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.