Can multiple interfaces be selected as incoming and outgoing interfaces for a FortiGate firewall policy?
A quick tip about interfaces on policies.
This one tripped me up so I thought it would be helpful to post about it...
Most of the time when we're creating firewall/security policies in a FortiGate, it's from the mindset of a single use case with a common source and destination. By default, the UI on the policy creation page only lets admins specify a single "incoming interface" and "outgoing interface". Yes, you could technically specify a Zone as an interface (which would could be a grouping of interfaces) but even then, the UI would still display it as a singular entry.
That said, there's an alternative: FortiGate has a UI option to simply allow multiple interfaces. It's disabled by default but can be turned on via System (menu tab) –> Feature Visibility (sub-tab) –> Additional Features (column) – > Multiple Interface Policies (option).
It's also configurable in the CLI with the following:
config system settings
set gui-multiple-interface-policy enable
end
Nifty huh! Just be careful... depending on what you want to do with the policy and how you want to manage it moving forward, it might be better to keep policies unique and distinct.
For more information, check out the following resources:
tahmadov
