System Configuration – Zone – FortiOS 6.2

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security policies where a number of network segments can use the same policy settings and protection profiles.

When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use security policies to control the flow of intra-zone traffic.

For example, in the sample configuration below, the network includes three separate groups of users representing different entities on the company network. While each group has its own set of ports and VLANs in each area, they can all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating three policies.

Sample configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example, you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.

To create a zone in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Zone.
  3. Configure the Name and add the Interface Members.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone edit Zone_1 set interface internal VLAN_1 set intrazone deny/allow

end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy edit 2 set name “2” set srcintf “Zone_1” set dstintf “port15” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to each other.

For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic between a very small number of networks on different interfaces that are part of the zone but you do not want to disable the intra-zone blocking.

In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, … 192.168.10.0/24.

This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy within the zone.

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans
Source Address 192.168.1.0/24
Destination Zone-name (same as Source Interface, i.e., Vlans)
Destination Address 192.168.2.0/24

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “System Configuration – Zone – FortiOS 6.2

  1. Barry Olech

    Hi Mike, I have all of my vlans in one zone but each vlan needs to source nat a different external IP address. Would i need central Nat to get this to work?

    Reply

Leave a Reply to Barry Olech Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.