Traffic from new VLAN interface in Zone gets blocked

Forum|Forum|9 months ago
August 28, 2025
2 replies
474 views

I have a zone on the FortiGate named "VPN Zone", which includes both SSL-VPN and IPsec.

We are now testing a ZTNA appliance that is connected via the X1 interface -> VLAN 101.

I added the VLAN 101 interface to the existing "VPN Zone" and included its subnet in the existing rules.

As a result, LAN clients can communicate with devices inside VLAN 101. However, devices inside VLAN 101 are being blocked by the FortiGate from accessing LAN.

FortiAnalyzer reports that the traffic is blocked by policy ID 0, showing the source interface as "VLAN 101". This makes sense, since there are no explicit policies referencing that interface, only the zone.

and idea why the existing permit rules for the zone do not trigger for VLAN 101 outgoing? but incomming is fine?

FG200F v7.4.8

FortiGate

Best answer by bluemerle

Got it working by moving the clients to another subnet and using the VLAN101 as a transport net. So the fault was the appliance assigning IPs to the VLAN101.

AEK

SuperUser

FortiOS doesn't allow you to mix SSL VPN interface with other interface type.

You put it in a zone means somehow you are trying to fool him, but FortiOS can't be fooled so easily ;)

Try remove SSL VPN from the zone (use separate policy) and it should work.

AEK

bluemerleAuthorAnswer

Visitor III

Got it working by moving the clients to another subnet and using the VLAN101 as a transport net. So the fault was the appliance assigning IPs to the VLAN101.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded