Skip to main content
spotter
spotter
New Member
January 30, 2022
Question

Fortigate 60D: understanding ipv4 policy and vlans

  • January 30, 2022
  • 2 replies
  • 2605 views

I was gifted an old Fortigate 60D, and I'm trying to use it to isolate my IOT wireless devices from the rest of my LAN, while still allowing LAN devices (say home assistant) to connect to them.

 

On a Juniper router, I could have 2 VLANs (home and IOT) and just reject "tcp initial" packets (i.e. syn) from going from IOT to home vlan.  This would allow home to connect to IOT, but IOT devices could not connect to home, as their syn packets would be dropped.

 

I don't see exactly that analogue in walking through the Fortigate's UI, but I'm wondering if that's just the standard behavior of the ipv4 policy engine.

i.e. if I'd set "incoming interface" to home vlan, "outgoing interface" to iot vlan, source/destination to be any for both, with a service of ALL (or ALL_TCP), would this just prevent devices on the outgoing interface to connect to anything on incoming interface, but there would be no restrictions on the reverse.  (so home assistant on home vlan could talk to iot devices over tcp/ip, assuming default allow)

 

thanks.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 30, 2022

Just don't create a policy IoT->home_vlan, which would prevent traffic you wan to block. Then have pollcies home_vlan->IoT to allow that direction only.

 

Toshi

spotter
spotterAuthor
New Member
January 30, 2022

ok, thats what I was figuring, though now I'm beginning to realize that perhaps this device wont serve my needs.  I'd want to trunk all VLANs to a remote switch as well, but from what I'm reading, that might not be possible (as the fortigate shouldn't really be viewed as switch but as a firewall).  while it has some managed switch capabilities, that's not really what it is designed to be.

though perhaps what I read is worng.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 30, 2022

Moving L2 switching to switch behind a FGT is common set up. But since 60Ds don't do LAG, you need to have all vlans on the same interface, which connects to the switch. Then inter-vlan routing comes to the FGT and you have control with policies.

Terms & ConditionsAccessibility statement