Just received the 60e and I have a ASUS 86u wireless router.
Is it possible so that certain wireless users to be put in a security group ( by mac address) so those users can access any of the other internal hosts, and those that are not in the group can only access the internet? There is one un-managed network switch connected to the 60e which has a number of ethernet connected devices, and the wifi AP is connected to a port on the 60e.
I was not sure if I can create a hardware switch and then separate that from the rest of the network for only wifi users. Put the internal and wifi inteface into a new zone, enabled block intra communication and then create a policy that allows the group members access to anything internal.
There are a few ways to accomplish this, but it sounds like you've got a pretty good one planned out. It should work fine! :)
I was was under the impression that even if you create anew interface and plug in the wifi access point to it, all internal lan can still access all resources and vice versa..
what other ways do you recommend?
Perhaps I misunderstood, but it sounds like you already know that out of the box the "internal" network is a hardware switch of all the internal ports, so you were suggesting breaking that apart and putting the wifi router on its own interface, right? This would prevent traffic between the "internal" interfaces and the port you broke apart, unless that traffic is defined in a policy. You further mentioned grouping these into a zone, which would enable them to communicate again unless you block intrazone traffic which you stated you would. So then you'll create an intra zone policy (source and destination "interface" (zone in this case) would be the same) to match the traffic based on device group (Mac addresses).
Other ways to accomplish this include doing everything you listed above except not putting them into a zone and simply creating a policy between the interface for the router and the "internal" hardware switch. Same result in the end. I suppose it might complicate your outbound policies (to the Internet), so in that case the zone is better. You could also further subdivide the FortiGate such that you have even more control over each port's interaction with each other port. This just depends on your needs. Like I said, you have a really good plan in place, so I wasn't meaning before to suggest you do anything different, but confirming that you were on the right track! :)
lobstercreed wrote:Perhaps I misunderstood, but it sounds like you already know that out of the box the "internal" network is a hardware switch of all the internal ports, so you were suggesting breaking that apart and putting the wifi router on its own interface, right? This would prevent traffic between the "internal" interfaces and the port you broke apart, unless that traffic is defined in a policy. You further mentioned grouping these into a zone, which would enable them to communicate again unless you block intrazone traffic which you stated you would. So then you'll create an intra zone policy (source and destination "interface" (zone in this case) would be the same) to match the traffic based on device group (Mac addresses).
Other ways to accomplish this include doing everything you listed above except not putting them into a zone and simply creating a policy between the interface for the router and the "internal" hardware switch. Same result in the end. I suppose it might complicate your outbound policies (to the Internet), so in that case the zone is better. You could also further subdivide the FortiGate such that you have even more control over each port's interaction with each other port. This just depends on your needs. Like I said, you have a really good plan in place, so I wasn't meaning before to suggest you do anything different, but confirming that you were on the right track! :)
After trial and error, I didn't get it!
I did break away the switch, gave the wifi AP it's own port on the Fortinet 60e, and also had DHCP on its own on that device. Internet works fine, and the only issue now is on the main interface with my devices, I cannot access that other interface network the wireless.
I tried create a new policy, to allow my INTERNAL network into WIFI devices. Great.
I tried to create a policy to allow just certain IPs on the wifi network into the internal network. Didn't know how. I have DHCP reservations for those few trusted wifi devices. I tried creating a custom device & group under User & devices, but when I went to the firewall policy and for the source selected the trusted device group, I get this error:
One address, address group, or Internet service is required...
So then I tried to create an address, with that IP, so I could create a group of 2-3 ips that are trusted, but I cannot create an address with an IP, only subnet
Also some how it let me now create an address, but when I put in the address IP, it said
One or more members are associated with an interface (internal). Only addresses that are not associated with an interface, or are associated with internal can be added.
NEVER associate an address with an interface when creating.
Now you know why. You chose the wrong interface. Your wifi device addresses are on the WiFi interface (your SSID).
Delete them and recreate new. Then put them into an address group.
My advice:
forget about the device group. Unless someone fakes one of the reserved addresses you're safe.
ede_pfau wrote:I don't follow. So create the address, but don't put an interface, leave it blank? What is the downside of putting in the interface for the address?NEVER associate an address with an interface when creating.
Now you know why. You chose the wrong interface. Your wifi device addresses are on the WiFi interface (your SSID).
Delete them and recreate new. Then put them into an address group.
My advice:
forget about the device group. Unless someone fakes one of the reserved addresses you're safe.
Not sure what you mean by delete and re-create? What should I delete, the address?
Also, don't use device group? Use addresses? What is the purpose of device groups? It was easier I thought? Right now I have to create a DHCP reservation for the device, then create an address, then put it in the address group. I thought it would be easier to just create the dhcp reservation, add the device to custom group?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.