You can add zones to the FortiGate configuration to group together related interfaces
and VLAN subinterfaces to simplify firewall policy creation. For more information
about zones, see

“Configuring zones” on page 141

To add policies for zones, you must use the following steps to add the zones to the
firewall policy grid:

Add zones to the FortiGate configuration.
See

“Adding zones” on page 142

Add interfaces and VLAN subinterfaces to the zone.
See

“Adding an interface to a zone” on page 143

Add firewall addresses for the zone.
See

“Adding addresses” on page 202

Addresses

To add policies between interfaces, VLAN subinterfaces and zones, the firewall
configuration must contain addresses for each interface, VLAN subinterface, or zone.
By default the firewall configuration includes the addresses listed in

Table 45

The firewall uses these addresses to match the source and destination addresses of
packets received by the firewall. The default policy matches all connections from the
internal network because it includes the Internal_All address. The default policy also
matches all connections to the Internet because it includes the External_All address.

You can add more addresses to each interface to improve the control you have over
connections through the firewall. For more information about addresses, see

“Addresses” on page 202

Table 45: Default addresses

Interface Address

Description

Internal

Internal_All This address matches all addresses on the internal network.

External

External_All This address matches all addresses on the external network.