Fortigate Zones vs Interfaces

26th April 2023

Fortigate v7.0+ (?) allow for Zones. I usually call my zones Public and Private. then I can add interfaces to those zones, ie add the WAN interface to the Public zone.
When moving to a new ISP you can setup and test the new connection on WAN2, then add WAN2 to the Public Zone. During a Maintenance window you can Integrate Interface Wan1 to the Public Zone, which will apply all your existing Policies to BOTH WAN ports.
If you have multiple WAN connections in a Zone, they need to have the same Route Weight or replies will be routed out the “Lightest” interface and firewalls don’t like asymmetric routing.

PROs:
Simplified Rules; if you have multiple WAN interfaces online, your rules can point to a Zone and then a single rule allows traffic through any interface in that zone, avoiding redundant rules.

CONs:
VPNs are still linked to an interface and each Interface has it’s own IP. So if the IP named as your VPN target goes down, your VPN is down, unless you created redundant VPNs to each interface. (FortiOS 7.0)

When you get to interfaces of a VPN, then we are FORCED to use Zones! Interfaces are not available if they are in a Zone.

You can’t convert a hardware switch to a Zone

Conclusion:
Ideal time to switch to Zones and simplify your config is during a ISP change.
Alway backup your config!
Setup an old Fortigate to practice on if you have VPNs as that is a little inconsistent.