Hi FGT/FAP admins
I have a SSID in tunnel mode where I enabled "block intra-SSID traffic".
Now I need to allow intra-SSID traffic only between some specific clients on some specific ports. Is there a way to do that? I mean just the same way we do with zones (deny intra-zone traffic then enable exceptions with firewall rules).
Hi,
In tunnel mode, the traffic is completely blocked between 2 wireless clients on same SSID with block intra-SSID traffic option . Since both clients are connected to same subnet, firewall policy may not help here as policies are supposed to route traffic from interface to another.
@kaurs Is WiFi SSIDs different from SSL VPN case? With SSL VPN, you can control access between users with policies ssl.root<->ssl.root. So I thought it might be possible when you set ssid.interface<->ssid.interface policies.
Toshi
Yes I think it is different.
With SSL VPN the client-to-client traffic transit through FW, while (it I'm not wrong) for SSID it seems it doesn't leave the AP.
With a tunnel mode, the user traffic should be tunneled to the controller FGT. Isn't that the case?
Toshi
Sniffing on the FG when pinging the same subnet shows nothing :(
Hello @AEK ,
You can try place the devices you want to allow communication between on separate SSIDs or VLANs and then setup firewall policy accordingly.
Hello Harsh
That will work indeed, but my requirement is to do it on the same SSID.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.