Using a zone with a policy as a concentrator

Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the hub : Configuring communication between spokes (route-based VPN) : Using a zone with a policy as a concentrator

If you put all of the hub IPsec interfaces involved in the VPN into a zone, you can enable communication among all of the spokes and apply UTM features with just one security policy.

To create a zone for the VPN

1. Go to System > Network > Interfaces.

2. Select the down-arrow on the Create New button and select Zone.

3. In the Zone Name field, enter a name, such as Our_VPN_zone.

4. Select Block intra-zone traffic.

5. In the Interface Members list, select the IPsec interfaces that are part of your VPN.

6. Select OK.

To create a security policy for the zone

1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the settings: and select OK.


Incoming Interface	Select the zone you created for your VPN.
Source Address	Select All.
Outgoing Interface	Select the zone you created for your VPN.
Destination Address	Select All.
Action	Select ACCEPT.
Enable NAT	Enable.