Skip to main content
StangelmayerIT
StangelmayerIT
Visitor III
January 11, 2022
Question

Block intra network traffic

  • January 11, 2022
  • 1 reply
  • 10734 views

Hello,

 

i have the following issue.

We are using a Fortigate 500E and our interface port 5 is configured as DMZ.

We want to block the intra DMZ traffic between the servers with a few exceptions. 

I found the VLAN restriction using the CLI command switch-controller-access-vlan but the DMZ is an interface, not a VLAN.

How can we do this?

 

Thanks in advance and best regards,

Dominik Gronau

1 reply

akristof
Staff
akristof
Staff
January 12, 2022

Hello,

 

Thank you for your question. If you want to block only traffic between servers that are in same network as dmz interface port5, you will not be. Because in that case traffic between servers is staying in local lan, not reaching FortiGate.

If you have multiple DMZ interfaces and you want to block this traffic (port5 to port6 for example), then normal IPv4 firewall policy will do the trick.

StangelmayerIT
StangelmayerITAuthor
Visitor III
January 12, 2022

Hello Adrian,

 

thanks for your response. That's what i thought, my hope was that there is a possibility like the internal blocking of vlan clients

 

Best regards,

Dominik Gronau

akristof
Staff
akristof
Staff
January 12, 2022

Hello,

 

I am still not sure which scenario you have. If first when you want to block traffic on same subnet, then FortiGate is not able to block traffic that it doesn't see. So only if you would force all traffic traversing via FortiGate, then you can play with it. But you would need to do some subnet splitting, multiple subnets, etc, which is usually not wanted.

Terms & ConditionsAccessibility statement