Skip to main content
Bovie2k
Bovie2k
New Member
February 4, 2024
Question

Fortinet From To Source Destination

  • February 4, 2024
  • 3 replies
  • 4708 views

Ok first my firewall works as is but I don't think it's setup right. My internal network is a /18 and the LAN is a /24 contained in that /18. I have the /18 setup as a static route on the LAN network. Basically pointing the /18 route at the L3 Meraki switch I have behind the firewalls.

 

All the rules work as is today BUT on inbound rules I have to leave To = any. I still set the From, Source and Destination. On outbound rules I'm able to set all 4 From To Source Destination. If I set the To on the inbound rule the rule doesn't work. Should my LAN interface be configured as a 255.255.192.0 instead of a 255.255.255.0?

 

3 replies

hbac
Staff
hbac
Staff
February 5, 2024

Hi @Bovie2k

 

Please provide more details about your issue. Please provide screenshot if possible. 

 

Regards, 

Bovie2k
Bovie2kAuthor
New Member
February 5, 2024

@hbac Sure here we go

 

Here is the Interface on a /24

Interface slash 24.png

Here is my static route going to the L3 router which is contained on the Interface /24

Static Route to slash 18.png

 

Example Internet to DMZ where I can put in the from to source and destination

Internet to DMZ works.png

 

Example of Internet to Inside where I cannot put in the To I can have a source and destination but if I put in a to of my LAN traffic doesn't pass

Internet to LAN Have to have ANY.png

 

Example of outbound from LAN this is where I'm fine to put the LAN as the From and it works fine.

LAN to Internet can use From.png

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 5, 2024

Also you didn't explained why you have to have a /18 static route instead of a /24 route toward the Meraki L3 switch. Are there more subnets on the switch side in addition to the LAN subnet?

 

Toshi

Bovie2k
Bovie2kAuthor
New Member
February 5, 2024

@Toshi_Esumi  thanks for the response. Yes there are tons of subnets within that /18 that the Meraki L3 switch routes to. Which is why I have the static route for the /18 if the IP is within that /18 send to the Meraki L3 and it routes it to the correct client usually though other L3 switches as we have multiple locations with Dark Fiber connected to the Meraki L3 switch.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 6, 2024

Have you tried creating a new policy Internet-zone->(the VLAN interface name toward the Meraki SW) for that /24 detination only in addition to the existing policy Internet-zone->any then place it above the existing "to-any" policy?

I'm guessing one of those destination address objects in the policy has its belonging interface specified other than the VLAN interface.

Toshi

Bovie2k
Bovie2kAuthor
New Member
February 20, 2024

I spoke with Fortinet support today and figured this out. Kind of feel dumb. My management interface is on the same subnet as the computer I was trying to access because of that it won't use the default route on the other LAN interface it wants to talk to the computer from the interface its contained on. Makes perfect sense.

Terms & ConditionsAccessibility statement