That does clean things up nicely. Will have to do this. I have a question that's partially related. I currently have a 60F and use a AP223C, have 5 SSID's to segment. No VLans, am I better of to use one SSID and segment with the VLANs? This is a home environment as well as for my work. Your videos are very helpful, Thank You.
First up, great content man thanks heaps! Wondering if Zones can be used with multicast policy? I have a FG40F 7.2.2 that has been config with a single zone containing all internal interfaces. When I go to MC policy I can only select the zone as either the inbound OR outbound interface, whereas with normal policy I can use the same zone for both interfaces when allowing traffic between the two VLANS. Just wondering, thanks!
Hello, I have a Fortigate 80E with interfaces and policies already configured and I can't create zones as mentioned in your video. Which is the easiest way to migrate to this type of configuration ( 4 physical interface used, 1 has a couple of VLANs , 2 are physical interfaces and 1 has another router connected from secondary location. You're doing a great job with this videos! Thank you !!!
If your interfaces are in use you cannot add them to a zone. I would back up the config. Delete the policies so the interface are available to you. Create your zones and add your interfaces. Create the policies with the zones.
Informative video. Quick question though, what if I did not create a Policy Outside-to-Inside, but I have Inside-to-Outside configured. Would the Inside-to-Outside be enough to make mg Internal network talk to the outside world, and the outside world communicate to my internal network?
fidel demot That will allow your internal network to initiate two way communication between you and the outside world that is correct. Since the session is being initiated from the inside out and the policy allows it you are golden. If traffic were being initiated from the outside that is where you would hit issues.
Great video ! This seems like a great idea for setting up new box. I have over 20 pairs which I manage on our 200D cluster, coming from 5.0 to 5.2 to 5.4. Now I wonder, if I define the zones (which I won't without proper testing) what would happen to the existing rules, which are pretty granular. Do you know how the FortiOS will act ?
I usually design my Zone structure, backup my config and then find and replace the interface names on the policy section of the config to match the appropriate zone. You can also just replicate them slowly and steadily and double check things then cut the interfaces over to the new zones. Really depends on how you want to approach it.
Fortinet Guru that's exactly what I did when migrating the cluster to LACP towards the backbone. I'm not sure there is that much benefit goings towards zones on this production cluster which is pretty complex. I think the best route would be to use the interface pairs. Saying that, your video was an eye opener. Literally. So I thank your for it :)
Everyone has their own preference. I can see the added layer of granularity. I use zones with INSIDE, OUTSIDE, and DMZ designations and then just make it to where interfaces that are a member of said zone can't talk to each other. From that point I can get as granular as I want (INSIDE to INSIDE policy for network 1 that is a part of the INSIDE zone going to network 2 that is a part of the INSIDE zone). The end result is the same but then you can drop new firewall admins in there and say "These networks are INSIDE, these are OUTSIDE, these are DMZ" and it will reduce the accidental policy placement that exposes the environment to shady traffic. :-)
Fortinet Guru I can't agree more. This is perfect for a new setup and should the best-practice way. I just wonder what the fortios do when creating zones. I hope it won't destroy anything.
HI again, I have connected by radio a secondary location where I have a router which segments the network to LAN and DMZ for DVR's. In which zone do I include it ? or do I create a new one ? thnx, Adrian
Will depend on the purpose of the network and your security architecture. You may think it is an INSIDE network though it may be a DMZ to me. Really up to the organization
@@FortinetGuru Thanks, Mike! I also believe it`s more like a INSIDE interface as it`s a secondary location which will go out to internet having the same security policies.
How would you go about cleaning up an existing setup with tons of policys? I can't create zones yet because the interfaces are already used in policy.
That does clean things up nicely. Will have to do this. I have a question that's partially related. I currently have a 60F and use a AP223C, have 5 SSID's to segment. No VLans, am I better of to use one SSID and segment with the VLANs? This is a home environment as well as for my work. Your videos are very helpful, Thank You.
First up, great content man thanks heaps! Wondering if Zones can be used with multicast policy? I have a FG40F 7.2.2 that has been config with a single zone containing all internal interfaces. When I go to MC policy I can only select the zone as either the inbound OR outbound interface, whereas with normal policy I can use the same zone for both interfaces when allowing traffic between the two VLANS. Just wondering, thanks!
Hello, I have a Fortigate 80E with interfaces and policies already configured and I can't create zones as mentioned in your video. Which is the easiest way to migrate to this type of configuration ( 4 physical interface used, 1 has a couple of VLANs , 2 are physical interfaces and 1 has another router connected from secondary location. You're doing a great job with this videos! Thank you !!!
If your interfaces are in use you cannot add them to a zone. I would back up the config. Delete the policies so the interface are available to you. Create your zones and add your interfaces. Create the policies with the zones.
Informative video. Quick question though, what if I did not create a Policy Outside-to-Inside, but I have Inside-to-Outside configured. Would the Inside-to-Outside be enough to make mg Internal network talk to the outside world, and the outside world communicate to my internal network?
fidel demot That will allow your internal network to initiate two way communication between you and the outside world that is correct. Since the session is being initiated from the inside out and the policy allows it you are golden. If traffic were being initiated from the outside that is where you would hit issues.
Great video ! This seems like a great idea for setting up new box.
I have over 20 pairs which I manage on our 200D cluster, coming from 5.0 to 5.2 to 5.4.
Now I wonder, if I define the zones (which I won't without proper testing) what would happen to the existing rules, which are pretty granular. Do you know how the FortiOS will act ?
I usually design my Zone structure, backup my config and then find and replace the interface names on the policy section of the config to match the appropriate zone. You can also just replicate them slowly and steadily and double check things then cut the interfaces over to the new zones. Really depends on how you want to approach it.
Fortinet Guru that's exactly what I did when migrating the cluster to LACP towards the backbone. I'm not sure there is that much benefit goings towards zones on this production cluster which is pretty complex. I think the best route would be to use the interface pairs. Saying that, your video was an eye opener. Literally. So I thank your for it :)
Everyone has their own preference. I can see the added layer of granularity. I use zones with INSIDE, OUTSIDE, and DMZ designations and then just make it to where interfaces that are a member of said zone can't talk to each other. From that point I can get as granular as I want (INSIDE to INSIDE policy for network 1 that is a part of the INSIDE zone going to network 2 that is a part of the INSIDE zone).
The end result is the same but then you can drop new firewall admins in there and say "These networks are INSIDE, these are OUTSIDE, these are DMZ" and it will reduce the accidental policy placement that exposes the environment to shady traffic. :-)
Fortinet Guru I can't agree more. This is perfect for a new setup and should the best-practice way. I just wonder what the fortios do when creating zones. I hope it won't destroy anything.
When using central NAT is it possible to define the NAT policy based on zones?
HI again, I have connected by radio a secondary location where I have a router which segments the network to LAN and DMZ for DVR's. In which zone do I include it ? or do I create a new one ? thnx, Adrian
Will depend on the purpose of the network and your security architecture. You may think it is an INSIDE network though it may be a DMZ to me. Really up to the organization
@@FortinetGuru Thanks, Mike! I also believe it`s more like a INSIDE interface as it`s a secondary location which will go out to internet having the same security policies.
How is it possible to block by operating system or device? fortios7
Depends on how they are connecting and what authentication / network access you are using on that connection method.
@@FortinetGuru
It's via wifi, I don't want android or iphone to connect and I can't get it. Thank you