Technical Tip: Configure one rule to allow multiple VLANs to communicate to one VLANs

ychia · ‎08-08-2024

Description

This article describes how to configure one rule to allow multiple VLANs to communicate with one VLAN.

3 VLANs have been created on an interface and it is wanted for them to only communicate with one, specific VLAN. It is required to use a single policy to achieve this.

Scope

FortiGate.

Solution

There are two ways to achieve this. It is possible to either use a Zone to combine those 3 VLANs into one, logical interface, or it is possible to just specify those VLANs in a policy via the CLI.

VLAN configuration:

config system interface
edit "VLAN100"
set vdom "root"
set role lan
set interface "port9"
set vlanid 100
next

edit "VLAN200"
set vdom "root"
set role lan
set interface "port9"
set vlanid 200
next

edit "VLAN300"
set vdom "root"
set role lan
set interface "port9"
set vlanid 300
next

edit "VLAN400"
set vdom "root"
set role lan
set interface "port9"
set vlanid 400
next

end

For the configuration involving the Zones:

config system zone
edit "3VLANs"
set interface "VLAN100" "VLAN200" "VLAN300"
next
end

create zone.PNG

There will only be one source interface when using a Zone.

config firewall policy
edit x
set name "3to1"
set srcintf "3VLANs"
set dstintf "VLAN400"
set action accept

set schedule "always"

set service "ALL"

set srcaddr "all"
set dstaddr "all"
end

For the configuration involving separate VLAN interfaces:

config firewall policy
edit x
set name "3to1"
set srcintf "VLAN100" "VLAN200" "VLAN300"
set dstintf "VLAN400"
set action accept

set schedule "always"

set service "ALL"

set srcaddr "all"
set dstaddr "all"
end

When the multiple interfaces are configured in a single policy, 'Interface Pair View' is also disabled.

Technical Tip: Configure one rule to allow multiple VLANs to communicate to one VLANs

You are leaving our website