New Member

Question

Block traffic Internal to Internal

Forum|Forum|12 years ago
October 29, 2013
12 replies
32405 views

Hi, I have 2 address ranges: A 192.168.1.[1-10] and B 192.168.1.[30-60]. Now I made a Policy where I deny any traffic from A to B. Source Interface: Internal Source Address: 192.168.1.[1-10] Destination Interface: Internal Destination Address: 192.168.1.[30-60] Schedule: always Service: ANY Action: DENY Unfortunately the rule doesn' t work. There are some switches between, the PCs and the firewall. Dows anyone know why I can' t block the traffic or only some services from one internal IP/range to another or what am I doing wrong? I have a FG110C with firmware 4.0 MR3 Patch 15 Thanks in advice, obi

ede_pfau

SuperUser

hi, you have not included the network mask used. Assuming it' s /24 (=255.255.255.0), your hosts do not need to send traffic to your router (the FGT) - they can make direct connections. The FGT is not involved with this. If you want to control traffic between 2 groups of hosts you have to have 2 distinct IP ranges, like 192.168.1.[0-127] and .[128-255], with a network mask of /25. Then the FGT has to route between subnets and your policy would have an effect.

obiAuthor

New Member

Hi, strange, if I try to add the subnet (/18 or /24) I get an error: " ... is not a valid IP Address" . Thanks, obi

rwpatterson

New Member

Where are you trying to ' add' this?

obiAuthor

New Member

Hi, I try to do this in " Firewall Objects" ->" Address" ->" Address" . There I select the range and when I try to add the subnet, I get this error.

ede_pfau

SuperUser

It' s either address+netmask OR address range.

rwpatterson

New Member

Either: 192.168.1.[0-127] and 192.168.1.[128-255] Or: 192.168.1.0/25 and 192.168.1.128/25

Ramesh_M

New Member

Hi, The traffic will not come to the firewall, if the source and destinations are in behind the same interface. So it will not work...

ede_pfau

SuperUser

@Ramesh: it will. If the address ranges are distinct, and the default gateway on both LANs is the same FGT interface then the FGT can route between them. It has to have an ' internal' to ' internal' policy to allow this. That' s where you can control the traffic.

Ramesh_M

New Member

You mean to say the hair pin kind of concept...

ede_pfau

SuperUser

Yes, exactly. It works, I' ve set this up some time ago to test it.

danto

New Member

Hi, if the subnets are different it will work and the traffic will be routed through the Fortigate, however in this case it will not. It is basic rule of networking. If the addresses are in the same subnet the traffic will flow between the hosts directly, no gateway, no routing involved, and for that reason the firewall rules will not have any effect.

emnoc

New Member

Agreed Your trying to use a L3 device to filter something that involving L2. A packet capture and diag debug flow will easily show you that rule is not going to be match.

ede_pfau

SuperUser

Anyone read my post from October 29? Same statement, and one suggestion how to solve this. IMHO there is nothing else necessary for such a simple topic.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded