Zone, intra-zone trafic blocking and policy?

Forum|Forum|7 years ago
February 8, 2019
1 reply
10237 views

I was wondering if it is possible to use a zone that is blocking intra-zone traffic and create policies to only allow some specific trafic between the interface members of the zone? Or is the "Block intra-zone traffic" an all-or-nothing options?

Something like this:

Source interface: ZONE

Destination interface: ZONE

Source IP: SOME_SERVER

Destination IP: SOME_OTHER_DEVICE

This post seems to imply that this is (or was) possible but I just can't get it to work: [link]https://forum.fortinet.com/tm.aspx?m=115382[/link]

The idea is that we are redesigning a network with 90+ remote site connected through VPN with 10+ interface each. Almost all of these remote interfaces have no needs to communicate between them except some device that needs communication between the interface. If we could create one zone, blocking traffic globally then only allow some services would be much easier to manage in the long run than creating 4-5 zones and having to create rules for all of them to communicate with the VPN.

Any one has an idea?

lobstercreed

New Member

Pierre,

It seems to me like this should work, no problem. I've only done zone-to-zone rules once or twice, but it worked fine for me. Maybe there's something else going on related to the VPN specifically?

What do the logs tell you? I don't know if you have a FortiAnalyzer, but we log *everything* to it and it saves our bacon constantly when something goes wrong.

- Daniel

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded