Hi,
I ma trying to allow inter-vlan communication in firewall policy and wrote this policy. is that correct?
config firewall policy
edit 6
set status enable
set name "Vlan--->Vlan"
set uuid 19f0b5c8-93f3-51ee-dc48-59756c056159
set srcintf "Vlan3" "Vlan20" "Vlan30" "Vlan40" "Vlan50" "Vlan60" "Vlan70" "Vlan90" "Vlan100" "Vlan101" "Vlan110" "Vlan172"
set dstintf "Vlan3" "Vlan20" "Vlan30" "Vlan40" "Vlan50" "Vlan60" "Vlan70" "Vlan90" "Vlan100" "Vlan101" "Vlan110" "Vlan172"
set action accept
set nat64 disable
set nat46 disable
set ztna-status disable
set srcaddr "Vlan100 address" "Vlan101 address" "Vlan110 address" "Vlan172 address" "Vlan20 address" "Vlan3 address" "Vlan30 address" "Vlan40 address" "Vlan50 address" "Vlan60 address" "Vlan70 address" "Vlan90 address"
set dstaddr "Vlan100 address" "Vlan101 address" "Vlan110 address" "Vlan172 address" "Vlan20 address" "Vlan3 address" "Vlan30 address" "Vlan40 address" "Vlan50 address" "Vlan60 address" "Vlan70 address" "Vlan90 address"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set internet-service6 disable
set internet-service6-src disable
unset reputation-minimum6
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set policy-expiry disable
set service "ALL"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set nat disable
set pcp-inbound disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set fec disable
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-copy disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set srcaddr6-negate disable
set dstaddr-negate disable
set dstaddr6-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @rezafathi,
Yes, it will. As long as the incoming/outgoing interfaces and source/destination addresses are configured correctly.
Regards,
Hi Reza,
Were you referring to this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Inter-VLAN-Routing/ta-p/275524
Thanks. I have 10 vlans if i want to create policy for each of them there would be plenty of policies. So I put all vlans in source and all vlans on destination. is that going to work?
I enabled multiple interface in feature visibility. is that going to work?
Hi @rezafathi,
Yes, it will. As long as the incoming/outgoing interfaces and source/destination addresses are configured correctly.
Regards,
@rezafathi , Yes that would also work or you can merge vlans to a particular zone and apply specific source and destination to policy to pass the traffic. In this way you can reduce multiple interfaces per policy.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/116821/zone
I would not use the "multiple interface" option at all. You will lose the "grouped by interface pair" view, making troubleshooting and maintenance more difficult (as you will deal with the policy table as a whole, and not with a restricted sub section only).
If you put all VLAN interfaces into a zone, and allow "inter-zone traffic", you should have achieved your goal. But additionally, I would create one policy from "zone" to "zone", with the same address group "my VLANs" as source and destination, and potentially restrictions on services, plus some UTM, for clarity and documentation. Nobody would look up all zones used for this parameter being enabled if they were troubleshooting, without prior close knowledge of the network.
Zones are practical in policies, but alas nowhere else - not in static routes, VIPs etc. They group interfaces/LANs which are treated identically policy-wise.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.