FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 223809
Description This article describes an overview of how 'Block intra-SSID traffic' option on SSID configuration works on the bridge mode SSID as there is slight variation between tunneled and bridged.
Scope FortiOS  7.x.

Tunneled mode:

-  Enabling Block intra-SSID traffic will restrict communication between 2 wireless clients connected on same SSID on FortiAPs.

- In tunneled mode, the traffic will be completely blocked between 2 wireless clients on same SSID irrespective of the client associated FortiAPs (same FortiAP or different FortiAP).

Bridge mode:

- The traffic between two wireless clients will be blocked when associated to same FortiAP.

- The traffic will be allowed when wireless clients are associated to different FortiAP's (though connected to same SSID).

- Traffic coming to AP-1 through ethernet from AP-2 associated wireless clients, will be treated as wired traffic, hence will not be blocked.

In Simple, Bridge mode SSID with 'Block intra-SSID traffic' option enabled,

Wireless clients connected on Same SSID, Same FortiAP -- communication blocked
Wireless clients connected on Same SSID, but different FortiAP -- communication allowed (traffic will be considered as wired traffic between clients connected on different FortiAP's. )

This option in cli is available as 'intra-vap-privacy' under VAP configuration. Example as below,


# config wireless-controller vap

       edit test          <<<< test is the bridge SSID name
          set intra-vap-privacy




intra-vap-privacy  -  Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).