Modify existing interface-zone mapping
Interfaces mapped to a zone locally on FortiGate devices are not visible in Device Manager on FortiManager. It is recommended to create objects in FortiManager instead of creating it on FortiGate devices locally. If an interface is already mapped to a zone in FortiGate, it must be unmapped first. A zone must be created in FortiManager, added to a policy and installed to FortiGate. For convenience and ease of use, it is better to manage Object Configuration and Interface Mapping from FortiManager.
If an Interface is mapped to a Zone in FortiGate:
-
Log on to the FortiGate device.
-
Delete the Interface/Zone mapping from Interfaces > [Interface_Name] > Delete.
-
Log on to FortiManager.
-
Create a device zone named Zone_One, and map it to a physical interface:
-
Go to Device Manager > Device & Groups.
-
In the tree menu, select a device group. The devices are displayed in the lower tree menu.
-
In the lower tree menu, double-click a device. The device database is displayed.
-
Go to Network > Interfaces.
-
Click Create New > Device Zone.
-
In the Zone Name box type, Zone_One.
-
Click the Interface Member box, select one or more physical interfaces, and click OK. The device zone is created.
-
-
Map the device zone to a normalized interface:
-
Go to Policy & Objects > Normalized Interface.
-
Click Create New. The Create New Normalized Interface pane is displayed.
-
In the Name box, type a name for the normalized interface.
-
Under Per-Device Mapping, click Create New. The Per-Mapping dialog box is displayed.
-
In the Mapped Device list, select the device.
-
In the Mapped Interface Name select the device zone that you created, and click OK. The per-device mapping is created.
-
Click OK. The normalized interface is created and mapped to the device zone.
-
-
Create a new policy package named New_Policy_Package.
-
Go to Policy & Objects > Policy Packages.
-
From the Policy Package menu, select New.
-
In the Name box, type a name for the policy package, such as New_Policy_Package.
-
Set the remaining options, and click OK. The policy package named New_Policy_Package is created.
-
-
Create a new policy for the policy package, and select the device zone.
-
In the tree menu, select the new policy package, for example, the policy package named New_Policy_Package, and click Create New. The Create New Firewall Policy pane is displayed.
-
In the Name box, type a name, such as New_IPv4_Policy.
-
Include Zone_One in the policy, and click OK. The policy is saved.
-
-
Assign the policy package to the device:
-
In the tree menu, expand New_Policy_Package, and click Installation Targets.
-
Click Edit, select the FortiGate, and click OK.
-
-
Install the policy package to the FortiGate:
-
Right-click New_Policy_Package, and select Install Wizard.
-
Select Install Policy Package & Device Settings, and select the New_Policy_Package from the drop-down.
-
Complete the installation as per the Install Wizard.
Zone_One is now available on the FortiGate device and mapped.
-
A zone is installed to a FortiGate device only if it is created, mapped to an interface, included in the Policy Package, assigned to a device, and installed using the Install Wizard. |
An interface cannot be reused if it is already mapped to a zone. To reuse an interface, first unmap it from the zone in Object Configurations, and then reinstall to the FortiGate device. |
After a Virtual IP is created, it must be mapped to interfaces. If per-device mapping is used, the mapping will be visible immediately in Device Manager > [ Device_Name] > Interface. |