Blocking another machine from another machine.

Likely the best way to do this is from the machine's own firewall settings.  Technically, the Fortigate can only control/restrict traffic if that traffic is going through it; if you have two machines on the internal network, communicating via switches or both are on the same switch, the Fortigate may not even see that traffic.   If the Fortigate was set in transparency mode you may have better options.

Makes sense.  Thank you for responding.

If you change the server's IP address to some value outside of the (common) subnet, and specify the FGT to be the gateway for this, all traffic to and from the server has to cross the FGT. You would create an 'internal -> internal' policy and have control over the routed traffic.

Think of the consequences and if nothing else stands in the way, it's feasable.

Hi all

this what is written here is not 100% sure which means following:

- What is the reason behind that on a standard configuration on a FGT clients/server within the same subnet can comunicate each othere without going over the FGT?

The answer is following which means following command:

# config system interface

# edit [Name of the interface]

# set icmp-redirect enable

# end

This means "icmp-redirect" is enabled by default WHY? If y client A connected to the FGT and request's client B in the same subnet as client A what happens exactly (in a very short overview):

--> Client A request Client B with ARP Request because no ARP available local ("who has")

--> ARP request is reaching the FGT (Default GW IP of FGT) and FGT is Broadcasting itsefl "who has".

--> Client B is answer to FGT "I am" (including MAC Address)

--> FGT send's "icmp-redirect" to Client A including the MAC Address and information of "icmp-redirect" which means actually:

       Here is the information "MAC/IP" and please Client B is in same subnet as you do not come to me go direct!

This is the reason the traffic goes not over the firewall because "icmp-redirect" is enabled Client A/B can comunicate direct and you do not need any Firewall Policy on the FGT. If you like to prevent this disable "icmp-redirect" and the FGT does not send to Client A a "icmp-redirect" and the traffic will go over the FGT (because of Default Gateway points the client to FGT) and you HAVE TO implement a Firewall Policy which allows traffic from Client A to B and viserverse etc. Of course if "icmp-redirect" is disabled and if Client A makes a static ARP entry of Client B local the traffic would also go direct and not over the FGT.

This in short words/overview why or what is responsible that intercomunication between clients within a subent directly connected to the FGT is possible or not as needs or not a Firewall Policy on a FGT. Be careful if you disable "icmp-redirect" and be aware that ALL traffic within a subnet is going over the FGT (performance).

hope this helps

have fun

Andrea