Skip to main content
AHJARR
AHJARR
Explorer
November 26, 2024
Question

Override FortiGate block-intra vlan traffic

  • November 26, 2024
  • 3 replies
  • 2972 views

Hello guys!

Override FortiGate block-intra vlan traffic.

Is it possible to override  block-intra vlan I have two client on the same subnet need to talk with each other. But in the same time I will like to block anything else to reach each other is it possible to do so.

 

Thank you 

 

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 26, 2024

I would try what the NOTE in the admin guide says:
https://community.fortinet.com/t5/Support-Forum/Override-FortiGate-block-intra-vlan-traffic/m-p/360197

Toshi

AHJARR
AHJARRAuthor
Explorer
November 26, 2024

Hello @Toshi_Esumi Thank you for your reply.

What do you mean by try the note in the admin guide?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 26, 2024

Sorry. I pasted a wrong link.
https://docs.fortinet.com/document/fortiswitch/7.4.5/fortilink-guide/801169/blocking-intra-vlan-traffic

The NOTE is below but basically the same with what @AEK said.

When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

 

config system proxy-arp

edit 1

set interface "V100"

set ip 1.1.1.1

set end-ip 1.1.1.200

next

end

 

config firewall policy

edit 4

set name "Allow intra-VLAN traffic"

set srcintf "V100"

set dstintf "V100"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

next

end

 

    AEK
    SuperUser
    AEK
    SuperUser
    November 26, 2024

    Hi

    Did you try to enable block-intra-VLAN traffic, then create a firewall policy to allow only the required traffic, like this:

    • Src intf: VLAN-X
    • Dst intf: VLAN-X (same)
    • Src: Client1-IP
    • Dst: Client2-IP
    • Service: ping, ...etc

    Hope it helps.

    AEK
      AHJARR
      AHJARRAuthor
      Explorer
      November 26, 2024

      Hi @AEK Thank you for your reply 

      I have already tried that doesn't work):

      FredPaul
      FredPaul
      New Member
      November 26, 2024

      Is this what you're looking for?

      https://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/801169/blocking-intra-vlan-traffic


      Terms & ConditionsAccessibility statement