Hello all,
i have here an Fortiswitch 448E with Firmware 7.0.1 in standalone mode. For security reason i would like to configure ACL's on the switch for my DMZ VLAN. ACL's works, but if i do that i can't access the dmz vlan anymore. So here my configuration. What i would like to do, what is the goal? (only one littel example)
Two VLAN's: vlan 10 internal and vlan 20 dmz
All traffic from vlan 20 to vlan 10 is to be blocked, except LDAP and DNS to the domain controller master server. So first i have set the allow rules, and after the blocks.
edit 3
config action
set count enable
end
config classifier
set dst-ip-prefix 172.16.66.1 255.255.255.255
set service "UCS-LDAP"
set src-ip-prefix 172.16.80.0 255.255.255.0
set vlan-id 20
end
set description "Allow VLAN20 dmz to LDAP dc1 Master"
set ingress-interface-all enable
next
edit 9
config action
set count enable
end
config classifier
set dst-ip-prefix 172.16.66.1 255.255.255.255
set service "DNS_TCP"
set src-ip-prefix 172.16.80.0 255.255.255.0
set vlan-id 20
end
set description "Allow VLAN20 dmz to DNS dc1 Master"
set ingress-interface-all enable
next
edit 46
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 172.16.66.0 255.255.255.0
set service "ALL"
set vlan-id 20
end
set description "Block all Traffic from VLAN20 dmz to vlan10 internal"
set ingress-interface-all enable
next
This are virtual machines. All VLAN's are tagged on the interfaces of the virtualization host. The communications wors. But if I activate the block rule, I can no longer access vlan20 from vlan10. As it looks, the IP packets no longer find their way back. With the HP Swicht I had, there was the so-called "established" flag in the ACLs. But I found nothing comparable for the fortiswitch.
Please help me to configure the example ACL correctly so that I can implement this point, which is essential for security.
Very thanks and best regards ipranger
Fortigate 60E v7.x (GA)
You do know you are sing a /32 mask on the dst prefix
e.g
set dst-ip-prefix 172.16.66.1 255.255.255.255
Is that a typo ?
Ken Felix
PCNSE
NSE
StrongSwan
it should be ok. Access to this one Server. It is the Domain Master with LDAP and DNS. The target. Or am I misunderstanding something?
Fortigate 60E v7.x (GA)
No i have the Answer from Fortinet Support.
It is very surprising that a switch in this class cannot do this. A pity.YI have internally checked on the scenario you described. ACLs are stateless on FSW so the match criteria for one traffic direction must be different than for the other, otherwise, traffic is dropped on both directions. If you want more complex control on the traffic, please use Fortigate Firewall. Regards,
Fortigate 60E v7.x (GA)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.