Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎08-07-2025 05:26 PM Edited on ‎09-17-2025 12:35 AM By Moderator

Article Id 405085

Technical Tip: How to block intra-VLAN traffic at the FortiSwitch and route through FortiGate for inspection

Description This article describes how to block intra-VLAN traffic at the FortiSwitch level and force all traffic between devices in the same VLAN to be routed through the FortiGate. This setup allows security inspection, logging, and policy enforcement on traffic that would normally bypass the firewall when directly switched.
Scope FortiGate, FortiSwitch.
Solution

Intra-VLAN traffic can be blocked by directing all client communication through the FortiGate, thereby eliminating direct Layer 2 visibility between hosts on the same VLAN. In this mode, client-to-client communication occurs only through the FortiGate interface, allowing security policies to be applied, including access control, VLAN reassignment, and traffic inspection.

 

The option to block intra-VLAN traffic can be controlled per VLAN using the intra-vlan-traffic setting. When set to enable, traffic is allowed only between the FortiGate and connected devices, while direct port-to-port communication on the same VLAN is blocked. When set to disable, standard Layer 2 switching is permitted.

 

In the GUI: 

 

image.png

 

Using the CLI: 

 

config system interface

    edit <VLAN name>

        set switch-controller-access-vlan enable

    next

end

 

The default setting for 'switch-controller-access-vlan' is set to disabled, which means it will allow normal VLAN traffic.

 

If IntraVLAN Blocked is enabled, a firewall policy must be created with the same VLAN interface as both ingress and egress to allow traffic flow..

 

When intra-VLAN blocking is enabled and appropriate firewall policies are configured on the FortiGate, only unicast traffic is allowed to pass through. Broadcast and multicast traffic will not be forwarded, even if policies are configured to permit it, and IPv6 is also not supported between clients when intra-VLAN traffic blocking is enabled. This is a design behavior. 

 

Note:

When blocking intra-VLAN traffic on a FortiGate, and if the ingress and egress interfaces are the same, the global setting allow-traffic-redirect must not be disabled to permit traffic redirection through the FortiGate.

 

config system global
    set allow-traffic-redirect enable
end

The default value of 'allow-traffic-redirect' is always set to enabled, and it should be checked if the value is not being changed to disabled. More details about 'allow-traffic-redirect' can be read in this article: Technical Tip: Traffic handled by FortiGate for packets with ingress & egress as same interface.
377
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.