Skip to Content

How to change interfaces to zones in policies on managed FortiGate

By: Author Alex Lim

Posted on

Categories Networking

The article describes how to change interfaces to zones in firewall policies on FortiGate managed by FortiManager with minimum (to no) impact on the production environment.

Scope

FortiManager, FortiGate.

Solution

  1. Create a new zone (say, ‘test-zone’) without adding any member interface (say, port1 is the required interface) to it.
  2. Create a relevant normalized interface for the zone, and map it to the zone.
  3. Replace port1 with the newly created zone in the Policy & Objects.
  4. Use a TCL script to replace the ‘port1’ with another interface (or a dummy interface, say ‘port2’) temporarily in the firewall policies in the Device Database.
  5. In the Device Database add the required member interface (in this case: ‘port1’) to the zone (in this case: ‘test-zone’).
  6. Use the TCL script again to replace the dummy interface (port2) with the test-zone in firewall policies in the Device Database.
  7. Use Install Wizard to push the Policy Package to the FortiGate.

Checking policies on FortiGate, port1 is being used in two policies.

Go to Device Manager -> Device & Groups -> Managed FortiGate, select the FortiGate -> Network > Interfaces, select Create New -> Device Zone.

Create the zone without setting any members.

‘Right-Click’ the newly created zone and select Edit Interface Map.

From the dropdown either select an existing normalized interface or select the ‘+’ option to create a new normalized interface for mapping.

Create a new normalized interface ‘test-zone’, and select OK to save.

Select the newly created normalized interface to map to the device interface ‘test-zone’, and select OK to save.

Create a new Normalized interface in FortiManager which will be used to map to a zone.
FortiManager -> Policy & Objects -> Normalized Interface and select ‘Create New’.

Device Interface now shows the mapping.

Go to Policy & Objects -> Policy Packages, select the policy package of the FortiGate -> Firewall Policy, select the interface to be replaced with a zone, in this case, port1, ‘right-click’ and select Find and Replace.

It shows that port1 is being used in two policies, select the policies and under Replace select the newly created normalized interface for the zone ‘test-zone’ and select Replace.

Port1 has been replaced with ‘test-zone’ in the policy package.

Note: Remember at this point the test-zone still does not have any member interface. The required interface ‘port1’ is still being used in policies in the in Device database.

Trying to add the interface member to the zone in the device database at this stage will give the below error.

'system/zone/test-zone/ : port1 interface is used in a policy as a srcintf or dstintf and cannot be a zone member'

Replace the port1 with port2 using the TCL script. Follow the initial steps in this article to enable and run TCL scripts in FortiManager: Technical Tip: How to use TCL script…existing route.
Go to > Device Manager > Scripts, select type TCL Script, and select ‘Create new’.

Create the following Tcl script:

# Define the procedure to execute commands
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
#
# Define the interface to change and the new interface
set intftochange "port1"
set intfchangewith "port2"
#
# Set the name of the FortiGate to make change on device database
set fgt "FGT-A"
#
# Execute command to get system status
set status [exec "get system status\n" "# " 15]
#
# Check if VDOM is disabled
if {[regexp {Virtual domain configuration: disable} $status]} {
set vdom_enabled false
} else {
set vdom_enabled true
}
#
# Define the VDOM if enabled
if {$vdom_enabled} {
set vdom "root"
}
#
# Print interface information
#
puts "FortiGate: $fgt"
if {$vdom_enabled} {
puts "VDOM: $vdom"
}
puts "Interface to change: $intftochange"
puts "Interface to change with: $intfchangewith"
#
#
# Enter VDOM if its enabled
if {$vdom_enabled} {
do_cmd "config vdom"
do_cmd "edit $vdom"
}
#
# Iterate through firewall policies
#
foreach line1 [split [exec "show firewall policy\n" "# "] \n] {
if {[regexp {edit[ ]+([0-9]+)} $line1 match policyid]} {
continue
}
# Check and modify source interface
if {[regexp "set (srcintf) \"$intftochange\"" $line1 match key1 value1]} {
lappend policysrc($policyid) "$key1 $value1"
}
# Check and modify destination interface
if {[regexp "set (dstintf) \"$intftochange\"" $line1 match key2 value2]} {
lappend policydst($policyid) "$key2 $value2"
}
}
# Exit vdom if vdoms are enabled
if {$vdom_enabled} {
do_cmd "end"
}
###
### For FortiGates with vdom enabled.
###
if {$vdom_enabled} {
# Modify source interfaces on FMG Device Database
foreach policyid [array names policysrc] {
puts [exec_ondb "/adom/root/device/$fgt" "
config vdom
edit $vdom
config firewall policy
edit $policyid
set srcintf $intfchangewith
next
end
end
" "# "]
}
#
# Modify destination interfaces on FMG Device Database
foreach policyid [array names policydst] {
puts [exec_ondb "/adom/root/device/$fgt" "
config vdom
edit $vdom
config firewall policy
edit $policyid
set dstintf $intfchangewith
next
end
end
" "# "]
}
} else {
###
### For FortiGates with vdom disabled.
###
# Modify source interfaces on FMG Device Database
foreach policyid [array names policysrc] {
puts [exec_ondb "/adom/root/device/$fgt" "
config firewall policy
edit $policyid
set srcintf $intfchangewith
next
end
" "# "]
}
#
# Modify destination interfaces on FMG Device Database
foreach policyid [array names policydst] {
puts [exec_ondb "/adom/root/device/$fgt" "
config firewall policy
edit $policyid
set dstintf $intfchangewith
next
end
" "# "]
}
}

Note: Make sure to change the variable: ‘intftochange’, ‘intfchangewith’, and ‘fgt’ on lines 7, 8 and 11. According to requirements.

For FortiGates with VDOMs also make sure to change the variable ‘vdom’ on line 25.

The script can only be run on a single FortiGate (or VDOM) at a time.

The TCL script is not making any change on the FortiGate, it is fetching information from the FortiGate and making the change only in Device Database of the FortiGate in FortiManager: Use the Tcl script to access FortiManager’s device database or ADOM database.

Before running the script, make sure the FortiGate ‘Config Status’ is in sync with FortiManager (Technical Tip: How to fix synchronization issue in FortiManager).

After the script is run successfully, select ‘View Details’, select the ‘View Script Execution History’ icon: it shows the changes made on policies in the Device Database.

Go to Device Manager -> Device & Groups -> Managed FortiGate, select the FortiGate -> Network -> Interfaces, select the zone ‘test-zone’ -> Edit ->Interface Member’ add the ‘port1’.

In the TCL script set the variable ‘intfchangewith’ to ‘test-zone’ on line 8 (DO NOT change variable ‘intftochange’).

Run the script again to update policies on the Device Database.

Changes can be verified from Device Database -> CLI Configurations, search for ‘policy’. Under firewall -> policy,select the policy shown in script output.

Use ‘Install Wizard’ to push the changes to the FortiGate: Installing policy packages and device settings.
The ‘Install Preview’ shows the creation of the ‘test-zone’ and setting it on policies.

Installation successful.

Check polices on the FortiGate, it has test-zone (with member port1) set in the policies.