Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jbindra
Staff
Staff

Created on ‎10-18-2023 09:42 PM Edited on ‎12-07-2024 11:44 PM By Community Manager

Article Id 279733

Technical Tip: Block or allow intra-zone traffic

Description This article describes how to allow or block intra-traffic in the zone.
Scope FortiGate.
Solution

It is possible to allow or block intra-zone traffic by enabling or disabling the 'Block intra-zone traffic' option.

 

zone.PNG

 

It is also possible to enable or disable from the CLI:

 

config system zone
    edit 'zone_name'   <--- Test in this case.
        set intrazone allow 

 

test1.PNG

 

To control further, it is possible to 'set intrazone allow' for the zone and then add firewall policies to block some traffic. 

For example, it is possible to block traffic from one direction port1-->port4, and allow the opposite direction from port4 to port1 inside the zone.

 

Steps to allow or deny traffic between subnets in the same zone:

  1. Set intra-zone traffic to deny: Change the default setting to block traffic within the same zone.
  2. Create a firewall policy: Configure the source and destination interfaces as the same zone but with different subnets. Set the action to either 'Accept' or 'Deny' based on the desired traffic flow.

 

Two policies are required to control traffic between subnets:

  • One policy to allow specific traffic.
  • Another policy is to deny specific traffic, depending on the direction you want to manage.

 

During troubleshooting, 'debug flow' will not show any messages, it is possible to track the connection only using 'diagnose sniffer' and filter by session list. Example of session list for a session between 2 hosts in the same zone when 'set Interzone allow' is configured (hosts are located behind 2 different interfaces but in the same zone) :

 

Policy 4294967295 refers to a local-in policy, which takes precedence over other firewall policies because intra-zone traffic is allowed by default.

 

session info: proto=6 proto_state=01 duration=27 expire=3591 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/100.64.127.2 vlan_cos=0/0
state=may_dirty npu synced
statistic(bytes/packets/allow_err): org=20597/188/1 reply=281657/255/1 tuples=2
tx speed(Bps/kbps): 744/5 rx speed(Bps/kbps): 10186/81
orgin->sink: org pre->post, reply pre->post dev=27->20/20->27 gwy=172.28.177.1/172.28.36.1
hook=pre dir=org act=noop 172.28.177.36:63858->172.28.36.20:445(0.0.0.0:0)
hook=post dir=reply act=noop 172.28.36.20:445->172.28.177.36:63858(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=205f7bd9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
npu info: flag=0x82/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session 1
Labels:
12338
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.