New Member

Question

OT segregation with intervlan traffic

Forum|Forum|1 year ago
October 1, 2024
3 replies
3662 views

I am trying to use a fortigate 60F to segregate my OT network, so SCADA from ICS. I already have switches in place, so trying to use what is there. Currently testing on the bench, with 2 managed switches connected to the FGT, each switch represents one VLAN, as below:

VLAN 10 - 10.1.0.0/24

VLAN 11 - 10.1.1.0/24

I have assigned physical interfaces (left at 0.0.0.0/0) to VLAN switches (as above).

Alternatively assigned VLAN interfaces to the physical interfaces (0.0.0.0/0 again).

Both with bidirectional firewall policies.

Using VLAN switches, which was the best result, I can link to one switch, and get to the FGT but not to a device or other switch in the other VLAN; the FGT can ping devices on either VLAN. What am I missing? Thanks.

Screenshot 2024-10-01 153123.png Screenshot 2024-10-01 153047.png

FortiGate

AEK

SuperUser

Which interfaces did you put in ICS Zone and SCADA Zone? Can you share a screenshot of the those interfaces' config?

On the other hand (but not related to your issue) I don't think it is a good idea to NAT the traffic, unless you have a good reason.

AEK

jfryeAuthor

New Member

I put the physical interfaces, internal3 and internal5, into ICS and SCADA zones, respectively. Photos attached. Should the subnet be done differently? My switches are connected by access ports, so vlan untagged, would that matter or would it go off of the subnetting for the policy?

NAT was on by default... Thanks. Screenshot 2024-10-02 071417.png Screenshot 2024-10-02 071431.png

AEK

SuperUser

Did you check if your devices havethe respective FG interface IP addresses as their gateways?

AEK

SuperUser

Please share the following cli output:

show system interface

AEK

jfryeAuthor

New Member

FortiGate-60F # show system interface config system interface     edit "wan1"         set vdom "root"         set mode dhcp         set allowaccess ping fgfm         set type physical         set role wan         set snmp-index 1     next     edit "wan2"         set vdom "root"         set mode dhcp         set allowaccess ping fgfm         set type physical         set role wan         set snmp-index 2         set macaddr 74:78:a6:dc:83:8f     next     edit "dmz"         set vdom "root"         set ip 10.10.10.1 255.255.255.0         set allowaccess ping https fgfm fabric         set type physical         set role dmz         set snmp-index 3     next     edit "internal1"         set vdom "root"         set type physical         set snmp-index 4     next     edit "internal2"         set vdom "root"         set type physical         set snmp-index 5     next     edit "internal3"         set vdom "root"         set type physical         set snmp-index 6     next     edit "internal4"         set vdom "root"         set type physical         set snmp-index 7     next     edit "internal5"         set vdom "root"         set type physical         set snmp-index 8     next      edit "a"         set vdom "root"         set type physical         set snmp-index 9     next      edit "b"         set vdom "root"         set type physical         set snmp-index 10     next      edit "modem"         set vdom "root"         set mode pppoe         set status down         set type physical         set snmp-index 11     next      edit "l2t.root"         set vdom "root"         set type tunnel         set snmp-index 13     next      edit "ssl.root"         set vdom "root"         set type tunnel         set alias "SSL VPN interface"         set snmp-index 14     next      edit "naf.root"         set vdom "root"         set type tunnel         set src-check disable         set snmp-index 12     next      edit "internal"         set vdom "root"         set ip 192.168.1.99 255.255.255.0         set allowaccess ping https ssh fgfm fabric         set type hard-switch         set alias "Management"         set stp enable         set role lan         set snmp-index 15     next      edit "fortilink"         set vdom "root"         set fortilink enable         set ip 10.255.1.1 255.255.255.0         set allowaccess ping fabric         set type aggregate         set member "a" "b"         set lldp-reception enable         set lldp-transmission enable         set snmp-index 16     next      edit "scda"         set vdom "root"         set ip 10.1.0.145 255.255.255.0         set allowaccess ping https http fgfm fabric         set type hard-switch         set device-identification enable         set lldp-transmission enable         set role lan         set snmp-index 17     next      edit "ics"         set vdom "root"         set ip 10.1.1.145 255.255.255.0         set allowaccess ping https http fgfm fabric         set type hard-switch         set device-identification enable         set lldp-transmission enable         set role lan         set snmp-index 18     next  end

AEK

SuperUser

Please run this debug command while doing the ping test.

diag sniffer packet any "host x.x.x.x and icmp" 4

Also use a packet sniffer on target server to see what it is doing with the echo requests.

AEK

jfryeAuthor

New Member

Pinging switch to switch:

FortiGate-60F # diag sniffer packet any 'host 10.1.1.35 and icmp' 4 interfaces=[any] filters=[host 10.1.1.35 and icmp] 20.976165 scda in 10.1.0.36 -> 10.1.1.35: icmp: echo request 20.977420 ics out 10.1.0.36 -> 10.1.1.35: icmp: echo request 20.977778 ics in 10.1.1.35 -> 10.1.0.36: icmp: echo reply 20.978116 scda out 10.1.1.35 -> 10.1.0.36: icmp: echo reply 21.970243 scda in 10.1.0.36 -> 10.1.1.35: icmp: echo request 21.970288 ics out 10.1.0.36 -> 10.1.1.35: icmp: echo request 21.970713 ics in 10.1.1.35 -> 10.1.0.36: icmp: echo reply 21.970735 scda out 10.1.1.35 -> 10.1.0.36: icmp: echo reply

Pinging a device on ICS side

FortiGate-60F # diag sniffer packet any 'host 10.1.1.101' interfaces=[any] filters=[host 10.1.1.101] 0.445269 arp who-has 10.1.1.65 tell 10.1.1.101 1.054860 10.1.0.36 -> 10.1.1.101: icmp: echo request 1.054993 10.1.0.36 -> 10.1.1.101: icmp: echo request 1.055244 10.1.1.101 -> 10.1.0.36: icmp: echo reply 1.055616 10.1.1.101 -> 10.1.0.36: icmp: echo reply 2.047644 10.1.0.36 -> 10.1.1.101: icmp: echo request 2.047727 10.1.0.36 -> 10.1.1.101: icmp: echo request 2.048139 10.1.1.101 -> 10.1.0.36: icmp: echo reply 2.048170 10.1.1.101 -> 10.1.0.36: icmp: echo reply

AEK

SuperUser

You see the echo requests and echo replies are all properly forwarded by the FG. I think there is no issue with the FortiGate.

If you don't receive echo reply on the initiating host then you need packet sniffer on the "initiating" client to see what is it doing with the received echo replies.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded