After set ACL's, traffic is blocked from both vlan's, but it should not be so
Hello all,
i have here an Fortiswitch 448E with Firmware 7.0.1 in standalone mode. For security reason i would like to configure ACL's on the switch for my DMZ VLAN. ACL's works, but if i do that i can't access the dmz vlan anymore. So here my configuration. What i would like to do, what is the goal? (only one littel example)
Two VLAN's: vlan 10 internal and vlan 20 dmz
All traffic from vlan 20 to vlan 10 is to be blocked, except LDAP and DNS to the domain controller master server. So first i have set the allow rules, and after the blocks.
edit 3
config action
set count enable
end
config classifier
set dst-ip-prefix 172.16.66.1 255.255.255.255
set service "UCS-LDAP"
set src-ip-prefix 172.16.80.0 255.255.255.0
set vlan-id 20
end
set description "Allow VLAN20 dmz to LDAP dc1 Master"
set ingress-interface-all enable
next
edit 9
config action
set count enable
end
config classifier
set dst-ip-prefix 172.16.66.1 255.255.255.255
set service "DNS_TCP"
set src-ip-prefix 172.16.80.0 255.255.255.0
set vlan-id 20
end
set description "Allow VLAN20 dmz to DNS dc1 Master"
set ingress-interface-all enable
next
edit 46
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 172.16.66.0 255.255.255.0
set service "ALL"
set vlan-id 20
end
set description "Block all Traffic from VLAN20 dmz to vlan10 internal"
set ingress-interface-all enable
next
This are virtual machines. All VLAN's are tagged on the interfaces of the virtualization host. The communications wors. But if I activate the block rule, I can no longer access vlan20 from vlan10. As it looks, the IP packets no longer find their way back. With the HP Swicht I had, there was the so-called "established" flag in the ACLs. But I found nothing comparable for the fortiswitch.
Please help me to configure the example ACL correctly so that I can implement this point, which is essential for security.
Very thanks and best regards ipranger