Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor

Allowing Inter-Vlan Communication

Hi,

 

I ma trying to allow inter-vlan communication in firewall policy and wrote this policy. is that correct?

 

config firewall policy
    edit 6
        set status enable
        set name "Vlan--->Vlan"
        set uuid 19f0b5c8-93f3-51ee-dc48-59756c056159
        set srcintf "Vlan3" "Vlan20" "Vlan30" "Vlan40" "Vlan50" "Vlan60" "Vlan70" "Vlan90" "Vlan100" "Vlan101" "Vlan110" "Vlan172"
        set dstintf "Vlan3" "Vlan20" "Vlan30" "Vlan40" "Vlan50" "Vlan60" "Vlan70" "Vlan90" "Vlan100" "Vlan101" "Vlan110" "Vlan172"
        set action accept
        set nat64 disable
        set nat46 disable
        set ztna-status disable
        set srcaddr "Vlan100 address" "Vlan101 address" "Vlan110 address" "Vlan172 address" "Vlan20 address" "Vlan3 address" "Vlan30 address" "Vlan40 address" "Vlan50 address" "Vlan60 address" "Vlan70 address" "Vlan90 address"
        set dstaddr "Vlan100 address" "Vlan101 address" "Vlan110 address" "Vlan172 address" "Vlan20 address" "Vlan3 address" "Vlan30 address" "Vlan40 address" "Vlan50 address" "Vlan60 address" "Vlan70 address" "Vlan90 address"
        set internet-service disable
        set internet-service-src disable
        unset reputation-minimum
        set internet-service6 disable
        set internet-service6-src disable
        unset reputation-minimum6
        set rtp-nat disable
        set schedule "always"
        set schedule-timeout disable
        set policy-expiry disable
        set service "ALL"
        set tos-mask 0x00
        set anti-replay enable
        set dynamic-shaping disable
        set passive-wan-health-measurement disable
        set utm-status disable
        set inspection-mode flow
        set profile-protocol-options "default"
        set ssl-ssh-profile "no-inspection"
        set logtraffic utm
        set logtraffic-start disable
        set capture-packet disable
        set auto-asic-offload enable
        set np-acceleration enable
        set nat disable
        set pcp-inbound disable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set fec disable
        set wccp disable
        set disclaimer disable
        set email-collect disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-copy disable
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set srcaddr6-negate disable
        set dstaddr-negate disable
        set dstaddr6-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
    next
end
Reza F.
Reza F.
1 Solution
hbac

Hi @rezafathi

 

Yes, it will. As long as the incoming/outgoing interfaces and source/destination addresses are configured correctly. 

 

Regards, 

View solution in original post

6 REPLIES 6
amuda
Staff
Staff
rezafathi

Thanks. I have 10 vlans if i want to create policy for each of them there would be plenty of policies. So I put all vlans in source and all vlans on destination. is that going to work?

Reza F.
Reza F.
rezafathi
Contributor

I enabled multiple interface in feature visibility. is that going to work?

Reza F.
Reza F.
hbac

Hi @rezafathi

 

Yes, it will. As long as the incoming/outgoing interfaces and source/destination addresses are configured correctly. 

 

Regards, 

maulishshah

@rezafathi , Yes that would also work or you can merge vlans to a particular zone and apply specific source and destination to policy to pass the traffic. In this way you can reduce multiple interfaces per policy. 

 

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/116821/zone

Maulish Shah
ede_pfau
Esteemed Contributor III

I would not use the "multiple interface" option at all. You will lose the "grouped by interface pair" view, making troubleshooting and maintenance more difficult (as you will deal with the policy table as a whole, and not with a restricted sub section only).

If you put all VLAN interfaces into a zone, and allow "inter-zone traffic", you should have achieved your goal. But additionally, I would create one policy from "zone" to "zone", with the same address group "my VLANs" as source and destination, and potentially restrictions on services, plus some UTM, for clarity and documentation. Nobody would look up all zones used for this parameter being enabled if they were troubleshooting, without prior close knowledge of the network.

 

Zones are practical in policies, but alas nowhere else - not in static routes, VIPs etc. They group interfaces/LANs which are treated identically policy-wise.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors