Firewall configuration Default firewall configuration
FortiGate-4000 Installation and Configuration Guide 193
VLAN subinterfaces
You can also add VLAN subinterfaces to the FortiGate configuration to control
connections between VLANs. For more information about VLANs, see “VLANs in
NAT/Route mode” on page 151 or “Virtual domains in Transparent mode” on
page 153.
To add policies that include VLAN subinterfaces, you must use the following steps to
add the VLAN subinterfaces to the firewall policy grid:
1 Add VLAN subinterfaces to the FortiGate configuration.
2 Add firewall addresses for the VLAN subinterface.
See “Adding addresses” on page 202.
Zones
You can add zones to the FortiGate configuration to group together related interfaces
and VLAN subinterfaces to simplify firewall policy creation. For more information
about zones, see “Configuring zones” on page 141.
To add policies for zones, you must use the following steps to add the zones to the
firewall policy grid:
1 Add zones to the FortiGate configuration.
See “Adding zones” on page 142.
2 Add interfaces and VLAN subinterfaces to the zone.
See “Adding an interface to a zone” on page 143.
3 Add firewall addresses for the zone.
See “Adding addresses” on page 202.
Addresses
To add policies between interfaces, VLAN subinterfaces and zones, the firewall
configuration must contain addresses for each interface, VLAN subinterface, or zone.
By default the firewall configuration includes the addresses listed in Table 45.
The firewall uses these addresses to match the source and destination addresses of
packets received by the firewall. The default policy matches all connections from the
internal network because it includes the Internal_All address. The default policy also
matches all connections to the Internet because it includes the External_All address.
You can add more addresses to each interface to improve the control you have over
connections through the firewall. For more information about addresses, see
“Addresses” on page 202.
Table 45: Default addresses
Interface Address Description
Internal Internal_All This address matches all addresses on the internal network.
External External_All This address matches all addresses on the external network.