FortiGate Zones

When thinking about various firewall configurations, one of the most important items is high availability.  Not only high availability when it comes to the physical hardware and the ability to have one firewall take over for another in case of a failure, but also high availability for failing over Internet connections.  Most firewalls have enough ports built in to support two or more Internet connections and configurations to be able to use routes etc. to failover a connection if one goes down.

When it comes to setting up firewall policies to allow traffic inbound and outbound, you would generally duplicate the firewall polices for each Internet connection.  So, you would have an “Internal to WAN1” policy as well as an “Internal to WAN2” policy, each connecting to separate Internet connections and use various configurations to support the actual failover.  The downside to a configuration like this is that you will end up with a very large firewall policy list, which can become confusing and hard to manage.

For this reason, I really like using the Zones feature that Fortinet FortiGate firewalls offer.  Basically instead of creating a policy using interfaces, you create Zones. Zones are made up of one or more interfaces which can be physical or virtual on the firewall appliance.  This greatly simplifies the creation of firewall policies and leaves you with a very clean configuration that is easy to understand.  When adding a Zone such as “Internet”, you would then put your WAN interfaces in this Zone and create your firewall policy so as to allow “Internal to Internet”.  If you were to put your WAN1 and WAN2 interfaces in the Internet Zone, you would only have to create one firewall policy for this Zone instead of two.

As I said this simplifies the configuration, allows for easier management, and will help in your failover of Internet connections. If, as in this example, the WAN1 connection goes down, WAN2 will automatically take over and you don’t have to add or modify any firewall polices.  If you are using FortiGate firewalls or a similar product that allows using Zones, I would recommend using them even if you currently have one interface/Internet connection.  In the future, you can always add interfaces to the zone without having to add more polices etc.

Pin It on Pinterest

Share This