This article describes how to enable blocking of intra-zone
traffic for default mappings in zone objects on FortiManager. By default,
intra-zone traffic for default mappings is allowed. It is highly recommended to
disable this behavior if not explicitly needed.
On FortiManager prior to v6.0.2 there is no GUI-option to
enable this behavior (see below for example on FMG v5.6.5):
In order to enable the blocking of intra-zone traffic for
default mappings, run a script on the Policy Package and ADOM
The script enables the “defmap-intrazone-deny” setting for
the respective zone interface, in this case “Internal”.
Here’s the template for copy-paste:
config dynamic interface
edit <zone interface name>
set defmap-intrazone-deny enable
Run the following command to verify that the setting has
been applied successfully after the execution of the script: