"Block intra-zone traffic" on SD-WAN interface

Forum|Forum|6 years ago
December 23, 2019
1 reply
5944 views

On a normal zone you have the option to enable or disable "Block intra-zone traffic"

Whats the default behavior on an SD-WAN interface and is this configurable?

emnoc

New Member

What do you mean normal zone & SDWAN? If you have a zones than traffic is allowed by the policies that your create. Can you explain what intra-zone you have? and the issues ? or a topology ?

Ken Felix

James_GAuthor

New Member

In a zone you can either allow or deny traffic between interfaces that are a member of the same zone - "set intrazone deny/allow" - this does not hit any policy and is impossible to configure a policy other then the allow / deny.

An example of this would be if you have an "edge networks" zone with interfaces "edge floor 1" and "edge floor 2" *not totally different to my real world*! If you set intrazone allow then network between floor 1 and floor 2 is totally open.

The same is true for SD-WAN interfaces, except the option to set intrazone deny/allow is not valid, I have checked with support and the default option (and only option) is to allow traffic between SD-WAN members without any policy. So for example if you have an ISP and a VPN tunnel as SD-WAN members, the Fortigate will openly route traffic between VPN to ISP and ISP to VPN without any policy checking. it's just an open router, with the only protection being NAT.

emnoc

New Member

So you have a SDWAN and it's in a zone? What traffic are suspecting that is open in that SDWAN members? Can't you craft a policy that says src/dst-zone deny? BTW , never heard anyone calling up a virtaual-wan in a zone to begin with.

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded