Using zones to simplify firewall policies

This cookbook recipe shows how grouping multiple interfaces into a zone can simplify firewall policies. In this example, we create VLAN10, VLAN20, and VLAN30 and add them into a zone called the “LAN Zone.” Instead of having to reference all 3 interfaces separately as a source interface in our firewall policy, we can just use the single zone object.

Zones can also group many other kinds of interfaces in addition to VLANs, such as physical ports or IPsec tunnels.

1. Creating the VLAN interfaces

Go to Network > Interfaces and select Create New > Interface.

Create the VLAN interface for VLAN ID 10 and enable the DHCP server option.

Create the VLAN interface for VLAN ID 20 and enable the DHCP server option.
Create the VLAN interface for VLAN ID 30 and enable the DHCP server option.

2. Creating the zone

Under Network > Interfaces, select Create New > Zone, name the zone LAN Zone, and add the newly created VLANs to the zone.

Leave Block intra-zone traffic enabled to prevent communication between the VLAN interfaces.

3. Creating a firewall policy for the zone

Navigate to Policy & Objects > IPv4 Policy and create a firewall policy allowing any VLAN in the “LAN Zone” permission to access the Internet.

Select any security profiles desired with best practices and business requirements in mind.


Users from VLAN10, VLAN20, or VLAN30 will now have Internet access.

As new VLANs are added in the future, they can be added to “LAN Zone” without having to modify the firewall policy we created in Step 3.

For further reading, check out Zones in the FortiOS 5.6 Handbook.

Interfaces that are already used in firewall policies cannot be added to a zone.