Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Allow specific intra-SSID traffic

Hi FGT/FAP admins

I have a SSID in tunnel mode where I enabled "block intra-SSID traffic".

Now I need to allow intra-SSID traffic only between some specific clients on some specific ports. Is there a way to do that? I mean just the same way we do with zones (deny intra-zone traffic then enable exceptions with firewall rules).

AEK
AEK
7 REPLIES 7
kaurs
Staff
Staff

Hi,

In tunnel mode, the traffic is completely blocked between 2 wireless clients on same SSID with block intra-SSID traffic option . Since both clients are connected to same subnet, firewall policy may not help here as policies are supposed to route traffic from interface to another.

Toshi_Esumi

@kaurs Is WiFi SSIDs different from SSL VPN case? With SSL VPN, you can control access between users with policies ssl.root<->ssl.root. So I thought it might be possible when you set ssid.interface<->ssid.interface policies.

Toshi

AEK

Yes I think it is different.

With SSL VPN the client-to-client traffic transit through FW, while (it I'm not wrong) for SSID it seems it doesn't leave the AP.

  • VPN: client <---> FortiGate <---> client
  • SSID: client <---> AP <---> client
AEK
AEK
Toshi_Esumi

With a tunnel mode, the user traffic should be tunneled to the controller FGT. Isn't that the case?

Toshi

AEK

Sniffing on the FG when pinging the same subnet shows nothing :(

AEK
AEK
HarshChavda
Staff
Staff

Hello @AEK ,

 

 You can try place the devices you want to allow communication between on separate SSIDs or VLANs and then setup firewall policy accordingly.

AEK

Hello Harsh

That will work indeed, but my requirement is to do it on the same SSID.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors