Fortinet black logo

Handbook

Zones

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:296411
Download PDF

Zones

Zones are a group of one or more FortiGate interfaces, both physical and virtual, that you can apply security policies to to control inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security policies where a number of network segments can use the same policy settings and protection profiles. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface still has its own address and routing is still done between interfaces, that is, routing isn't affected by zones. You can create security policies to control the flow of intra-zone traffic.

For example, the network includes three separate groups of users representing different entities on the company network. While each group has its own set of port and VLANs, in each area, they can all use the same security policy and protection profiles to access the Internet. Rather than an administrator making nine separate security policies, an administrator can add the required interfaces to a zone and create three policies, making administration simpler.

You can configure policies for connections to and from a zone, but not between interfaces in a zone.

The following example shows how to set up a zone to include the internal interface and a VLAN.

To create a zone - GUI:
  1. Go to Network > Interfaces.
  2. Select the arrow on the Create New button and select Zone.
  3. Enter a zone name of Zone_1.
  4. Select the required Interface Members.
  5. Select OK.
To create a zone – CLI

config system zone

edit Zone_1

set interface internal VLAN_1

next

end

Zones

Zones are a group of one or more FortiGate interfaces, both physical and virtual, that you can apply security policies to to control inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security policies where a number of network segments can use the same policy settings and protection profiles. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface still has its own address and routing is still done between interfaces, that is, routing isn't affected by zones. You can create security policies to control the flow of intra-zone traffic.

For example, the network includes three separate groups of users representing different entities on the company network. While each group has its own set of port and VLANs, in each area, they can all use the same security policy and protection profiles to access the Internet. Rather than an administrator making nine separate security policies, an administrator can add the required interfaces to a zone and create three policies, making administration simpler.

You can configure policies for connections to and from a zone, but not between interfaces in a zone.

The following example shows how to set up a zone to include the internal interface and a VLAN.

To create a zone - GUI:
  1. Go to Network > Interfaces.
  2. Select the arrow on the Create New button and select Zone.
  3. Enter a zone name of Zone_1.
  4. Select the required Interface Members.
  5. Select OK.
To create a zone – CLI

config system zone

edit Zone_1

set interface internal VLAN_1

next

end