This cookbook recipe shows how grouping multiple interfaces into a zone can simplify firewall policies. In this example, we create VLAN10, VLAN20, and VLAN30 and add them into a zone called the “LAN Zone.” Instead of having to reference all 3 interfaces separately as a source interface in our firewall policy, we can just use the single zone object.
Zones can also group many other kinds of interfaces in addition to VLANs, such as physical ports or IPsec tunnels.
1. Creating the VLAN interfaces |
|
|
Go to Network > Interfaces and select Create New > Interface. Create the VLAN interface for VLAN ID 10 and enable the DHCP server option. |
 |
| Create the VLAN interface for VLAN ID 20 and enable the DHCP server option. |  |
| Create the VLAN interface for VLAN ID 30 and enable the DHCP server option. |  |
2. Creating the zone |
|
|
Under Network > Interfaces, select Create New > Zone, name the zone LAN Zone, and add the newly created VLANs to the zone. Leave Block intra-zone traffic enabled to prevent communication between the VLAN interfaces. |
 |
3. Creating a firewall policy for the zone |
|
|
Navigate to Policy & Objects > IPv4 Policy and create a firewall policy allowing any VLAN in the “LAN Zone” permission to access the Internet. Select any security profiles desired with best practices and business requirements in mind. |
 |
Results |
|
|
Users from VLAN10, VLAN20, or VLAN30 will now have Internet access. |
|
|
As new VLANs are added in the future, they can be added to “LAN Zone” without having to modify the firewall policy we created in Step 3. |
 |
For further reading, check out Zones in the FortiOS 5.6 Handbook.
The post Using zones to simplify firewall policies appeared first on Fortinet Cookbook.