Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ipranger
Contributor

After set ACL's, traffic is blocked from both vlan's, but it should not be so

Hello all,

 

i have here an Fortiswitch 448E with Firmware 7.0.1 in standalone mode. For security reason i would like to configure ACL's on the switch for my DMZ VLAN. ACL's works, but if i do that i can't access the dmz vlan anymore. So here my configuration. What i would like to do, what is the goal? (only one littel example)

 

Two VLAN's: vlan 10 internal and vlan 20 dmz

 

All traffic from vlan 20 to vlan 10 is to be blocked, except LDAP and DNS to the domain controller master server. So first i have set the allow rules, and after the blocks.

 

edit 3
        config action
            set count enable
        end
        config classifier
            set dst-ip-prefix 172.16.66.1 255.255.255.255
            set service "UCS-LDAP"
            set src-ip-prefix 172.16.80.0 255.255.255.0
            set vlan-id 20
        end
        set description "Allow VLAN20 dmz to LDAP dc1 Master"
        set ingress-interface-all enable
    next

edit 9
        config action
            set count enable
        end
        config classifier
            set dst-ip-prefix 172.16.66.1 255.255.255.255
            set service "DNS_TCP"
            set src-ip-prefix 172.16.80.0 255.255.255.0
            set vlan-id 20
        end
        set description "Allow VLAN20 dmz to DNS dc1 Master"
        set ingress-interface-all enable
    next
    
    
edit 46
        config action
            set count enable
            set drop enable
        end
        config classifier
            set dst-ip-prefix 172.16.66.0 255.255.255.0
            set service "ALL"
            set vlan-id 20
        end
        set description "Block all Traffic from VLAN20 dmz to vlan10 internal"
        set ingress-interface-all enable
    next

 

This are virtual machines. All VLAN's are tagged on the interfaces of the virtualization host. The communications wors. But if I activate the block rule, I can no longer access vlan20 from vlan10. As it looks, the IP packets no longer find their way back. With the HP Swicht I had, there was the so-called "established" flag in the ACLs. But I found nothing comparable for the fortiswitch.

 

https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch...

 

Please help me to configure the example ACL correctly so that I can implement this point, which is essential for security.

 

Very thanks and best regards ipranger

Fortigate 60E v7.x (GA)

Fortigate 60E v7.x (GA)
3 REPLIES 3
emnoc
Esteemed Contributor III

You do know you are sing a /32 mask on the dst prefix

 

e.g

 

set dst-ip-prefix 172.16.66.1 255.255.255.255

Is that a typo ?

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ipranger

it should be ok. Access to this one Server. It is the Domain Master with LDAP and DNS. The target. Or am I misunderstanding something?

Fortigate 60E v7.x (GA)

Fortigate 60E v7.x (GA)
ipranger

No i have the Answer from Fortinet Support. 

YI have internally checked on the scenario you described. ACLs are stateless on FSW so the match criteria for one traffic direction must be different than for the other, otherwise, traffic is dropped on both directions. If you want more complex control on the traffic, please use Fortigate Firewall. Regards,

It is very surprising that a switch in this class cannot do this. A pity.

Fortigate 60E v7.x (GA)

Fortigate 60E v7.x (GA)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors