Skip to main content
N_W
N_W
Explorer
February 11, 2026
Question

How to achieve Layer 2 (Intra-VLAN) traffic visibility and blocking on FortiGate 7.2.12

  • February 11, 2026
  • 3 replies
  • 703 views

Hi Community,

I am currently using a FortiGate running FortiOS v7.2.12. My FortiGate is configured as the Gateway (L3 mode) for my network segments.

Coming from a Palo Alto background, I am used to having visibility into Layer 2 traffic. I would like to achieve similar visibility on the FortiGate for Intra-VLAN traffic (devices communicating within the same subnet).

My goals are:

Visibility: To see/log traffic between hosts in the same VLAN.

Control: Ideally, I want to be able to block this L2 traffic if necessary.

Since the FortiGate is the gateway and traffic usually switches locally on the access switch without hitting the firewall:

Is there a specific configuration required on the FortiGate side (e.g., specific interface settings, policies) to intercept and log/block this L2 traffic?

Would enabling Deep Packet Inspection (DPI) help in this scenario to gain visibility, or is this purely a routing/switching issue?

Do I need to implement Private VLANs (PVLAN) on the switch side and enable proxy-arp on the FortiGate, or is there a "Transparent" feature I can enable on an L3 interface?

Any advice or best practices to achieve "East-West" lateral movement visibility within the same VLAN would be appreciated.

Thanks in advance.

3 replies

magliano
Staff
magliano
Staff
February 11, 2026

Hi @Anonymous_User ,

 

You can block the traffic between VLANs as follows.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-intra-VLAN-traffic-at-the-FortiSwitch/ta-p/405085

 

If you need to allow specific traffic within the same VLAN, you would need to create a firewall policy on the same interface, specifying the required ports. Additionally, make sure to enable logging on the policy so you can monitor the traffic.

 

Best regards,

N_W
N_WAuthor
Explorer
February 12, 2026

"Hi, The article you shared focuses on blocking Layer 2 (Intra-VLAN) traffic. My main goal is visibility. With this configuration, is it possible to see logs for both allowed and denied L2 traffic? Can I simply allow the traffic and just log it for monitoring purposes?"

sw2090
SuperUser
sw2090
SuperUser
February 12, 2026

"

My goals are:

Visibility: To see/log traffic between hosts in the same VLAN.

Control: Ideally, I want to be able to block this L2 traffic if necessary."

 

You might see this traffic using the packt sniffer on the FGT VLAN interface but this is net internal traffic. It doesn't hit the Fortigate. So it will not hit any policy.

N_W
N_WAuthor
Explorer
February 12, 2026

Hi,

Thanks for the quick reply.

However, coming from a Palo Alto background, I am quite used to having visibility into L2 packets even without L3 routing. I am specifically looking for a way to achieve similar visibility on the FortiGate side.

My expectation is to potentially use Deep Inspection or a similar mechanism to analyze and log these L2 frames effectively. I believe there must be a configuration to inspect this layer without acting as a gateway.

As the saying goes: "If the mountain won't come to Muhammad, then Muhammad must go to the mountain."

Any further guidance on how to "go to the traffic" would be appreciated.

N_W
N_WAuthor
Explorer
February 14, 2026

The 'intra block' option you mentioned isn't appearing. Is this feature only available within software switch and hardware switch interfaces?

Terms & ConditionsAccessibility statement