Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security policies where a number of network segments can use the same policy settings and protection profiles.

When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use security policies to control the flow of intra-zone traffic.

For example, in the sample configuration below, the network includes three separate groups of users representing different entities on the company network. While each group has its own set of ports and VLANs in each area, they can all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating three policies.

Sample configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example, you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.

To create a zone in the GUI:
  1. Go to Network > Interfaces.
  2. Note

    If VDOMs are enabled, go to the VDOM to create a zone.

  3. Click Create New > Zone.
  4. Configure the Name and add the Interface Members.
  5. Enable or disable Block intra-zone traffic as required.
  6. Click OK.
To configure a zone to include the internal interface and a VLAN using the CLI:
config system zone
    edit zone_1
        set interface internal VLAN_1
        set intrazone {deny | allow}

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:
config firewall policy
    edit 2
        set name "2"
        set srcintf "Zone_1"
        set dstintf "port15"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable

Intra-zone traffi