It is possible to allow or block intra-zone traffic by enabling or disabling the 'Block intra-zone traffic' option.

It is also possible to enable or disable from the CLI:

config system zone
    edit 'zone_name'   <--- Test in this case.
        set intrazone allow 

To control further, it is possible to 'set intrazone allow' for the zone and then add firewall policies to block some traffic. 

For example, it is possible to block traffic from one direction port1 -> port4, and allow the opposite direction from port4 to port1 inside the zone.

Steps to allow or deny traffic between subnets in the same zone:

1. Set intra-zone traffic to deny: Change the default setting to block traffic within the same zone.
2. Create a firewall policy: Configure the source and destination interfaces in the same zone but with different subnets. Set the action to either 'Accept' or 'Deny' based on the desired traffic flow.

Two policies are required to control traffic between subnets:

• One policy to allow specific traffic.
• Another policy is to deny specific traffic, depending on the direction desired to be managed.

During troubleshooting, 'debug flow' will not show any messages, it is possible to track the connection only using 'diagnose sniffer' and filter by session list. Example of session list for a session between 2 hosts in the same zone when 'set Interzone allow' is configured (hosts are located behind 2 different interfaces but in the same zone) :

Policy 4294967295 refers to a local-in policy, which takes precedence over other firewall policies because intra-zone traffic is allowed by default. Traffic allowed by this feature is not logged in the forward traffic logs.

session info: proto=6 proto_state=01 duration=27 expire=3591 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/100.64.127.2 vlan_cos=0/0
state=may_dirty npu synced
statistic(bytes/packets/allow_err): org=20597/188/1 reply=281657/255/1 tuples=2
tx speed(Bps/kbps): 744/5 rx speed(Bps/kbps): 10186/81
orgin->sink: org pre->post, reply pre->post dev=27->20/20->27 gwy=172.28.177.1/172.28.36.1
hook=pre dir=org act=noop 172.28.177.36:63858->172.28.36.20:445(0.0.0.0:0)
hook=post dir=reply act=noop 172.28.36.20:445->172.28.177.36:63858(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=205f7bd9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
npu info: flag=0x82/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session 1

Note:

Intrazone traffic with one member part of the zone.

If the zone has one member only, to control Intrazone traffic:

1. The global 'allow-traffic-redirect' option will be checked first:
   1. If it is enabled, traffic will not be seen for any policy. Traffic in the same zone will be allowed.
      
   2. If it is disabled, traffic will enter a kernel policy check.
      
      

2. The kernel local-in-policy will be checked, based on the Intrazone setting:

   1. If 'Block intra-zone traffic' is disabled, Intrazone traffic should be allowed.
      

   2. If 'Block intra-zone traffic' is enabled, traffic will enter a firewall policy check:
      

3. The firewall policy check:
   a. Traffic to be allowed can be controlled via firewall policies as mentioned above.
   b. If no policy is configured for the intended traffic, it will match the implicit deny policy.

However, when having one member only and Intrazone 'allow' is set (condition 2.a.), an accept policy is not created for the zone. Therefore, Intrazone traffic is blocked under that condition.

This behavior is fixed starting from FortiOS v7.4.4.

Starting from that version and on, an accept policy is created when one interface is part of the zone, and the Intrazone traffic is allowed.

Related article: