After set ACL's, traffic is blocked from both vlan's, but it should not be so
i have here an Fortiswitch 448E with Firmware 7.0.1 in standalone mode. For security reason i would like to configure ACL's on the switch for my DMZ VLAN. ACL's works, but if i do that i can't access the dmz vlan anymore. So here my configuration. What i would like to do, what is the goal? (only one littel example)
Two VLAN's: vlan 10 internal and vlan 20 dmz
All traffic from vlan 20 to vlan 10 is to be blocked, except LDAP and DNS to the domain controller master server. So first i have set the allow rules, and after the blocks.
edit 3 config action set count enable end config classifier set dst-ip-prefix 172.16.66.1 255.255.255.255 set service "UCS-LDAP" set src-ip-prefix 172.16.80.0 255.255.255.0 set vlan-id 20 end set description "Allow VLAN20 dmz to LDAP dc1 Master" set ingress-interface-all enable next
edit 9 config action set count enable end config classifier set dst-ip-prefix 172.16.66.1 255.255.255.255 set service "DNS_TCP" set src-ip-prefix 172.16.80.0 255.255.255.0 set vlan-id 20 end set description "Allow VLAN20 dmz to DNS dc1 Master" set ingress-interface-all enable next
edit 46 config action set count enable set drop enable end config classifier set dst-ip-prefix 172.16.66.0 255.255.255.0 set service "ALL" set vlan-id 20 end set description "Block all Traffic from VLAN20 dmz to vlan10 internal" set ingress-interface-all enable next
This are virtual machines. All VLAN's are tagged on the interfaces of the virtualization host. The communications wors. But if I activate the block rule, I can no longer access vlan20 from vlan10.
As it looks, the IP packets no longer find their way back. With the HP Swicht I had, there was the so-called "established" flag in the ACLs. But I found nothing comparable for the fortiswitch.
YI have internally checked on the scenario you described. ACLs are stateless on FSW so the match criteria for one traffic direction must be different than for the other, otherwise, traffic is dropped on both directions.
If you want more complex control on the traffic, please use Fortigate Firewall.
It is very surprising that a switch in this class cannot do this. A pity.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.