In some cases, administrators may need to block traffic to a specific Wi-Fi client without disabling all intra-SSID communication. This article explains how to achieve this using an L3 Firewall Protection Profile.

Intra-SSID traffic (i.e., Wireless device-to-Wireless device) is enabled by default, and can be blocked (Technical Tip: Enable Intra-SSID Privacy) entirely by simply enabling the block option in the SSID; however, this stops ALL intra-SSID traffic, which may not be ideal or wanted.

Since this traffic does not traverse a different interface, it cannot be blocked with a standard Firewall Policy.

The solution here is to create and use an L3 Firewall Protection profile (Protection Profiles Entry, also known as an Access Control List) and assign this to the SSID.

In this example, the requirement is to simply block ICMP (ping) traffic from working to a particular wireless client (from any client on the SSID), but this could easily be adapted to block any other protocol (e.g., TCP, UDP) and/or be restricted to particular clients (source IP Addresses) or source ports too.

The steps are as follows:

1. Create an L3 Firewall Profile:

From the FortiGate GUI, select: WiFi & Switch Controller -> Protection Profiles -> L3 Firewall Profiles -> + Create New.

2. Create the Firewall Rule:

In this example, ICMP / Ping (IANA Protocol 1) to 192.168.40.42 is blocked from ANY IP Address:

Add the required fields, then select OK to view the new rule:

At this point, optionally create any other rules. Only a single Protection Profile can be attached to an SSID, so multiple rules must be combined into a single profile.

(CLI Steps using the same example to create the rule):

config wireless-controller access-control-list
    edit "Block Ping to 192.168.40.42"
        config layer3-ipv4-rules
            edit 1
                set comment "Block Ping to 192.168.40."
                set dstaddr 192.168.40.42/255.255.255.255
                set protocol 1
                set action deny
            next
        end
    next
end

3. Attach the new L3 Firewall profile to the SSID:

Navigate to: WiFi & Switch Controller -> SSIDs.

Select the relevant SSID and select Edit:

Scroll down the page and find the L3 firewall profile in Advanced Settings and select the new profile to attach it to the SSID:

Select OK, and it is ready to test (CLI Steps to attach to the SSID).

config wireless-controller vap
    edit "Internet"

        set access-control-list "Block Ping to 192.168.40.42" 
    next
end

4. Test the new rule.

This example shows where ping worked previously, and it was then blocked (after the L3 Firewall profile was added to the SSID):

By applying an L3 Firewall Profile directly to an SSID, administrators can selectively block traffic to specific devices or protocols, while still allowing general intra-SSID communication

Related articles:

Technical Note: How to configure intra-SSID privacy
Technical Note: How to block intra-VLAN traffic at the FortiSwitch and route through FortiGate for i...