Technical Tip: How to enable 'Block intra-zone traffic' for zone default mappings on FortiManager
Description
This article describes how to enable blocking of intra-zone traffic for default mappings in zone objects on FortiManager. By default, intra-zone traffic for default mappings is allowed. It is highly recommended to disable this behavior if not explicitly needed.
Solution
On FortiManager prior to v6.0.2 there is no GUI-option to enable this behavior (see below for example on FMG v5.6.5):
In order to enable the blocking of intra-zone traffic for default mappings, run a script on the Policy Package and ADOM Database:
The script enables the “defmap-intrazone-deny” setting for the respective zone interface, in this case “Internal”.
Here’s the template for copy-paste:
config dynamic interface
edit <zone interface name>set defmap-intrazone-deny enablenext
end
Run the following command to verify that the setting has been applied successfully after the execution of the script:
exe fmpolicy print-adom-object <adom> “dynamic interface” <zone interface name>
The output from the example above shows:
FortiManager v6.0.2 introduced a GUI checkbox to ease the process:
