Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Allowing traffic between 2 Vlan switches

Device is FG-60f running the latest 7.4 firmware.


I have 2 vlan switches set up.  One routs traffic to wan1 and the other to wan2.  I set up policies and routing policies for them and both are working fine.


Vlan switch 1 services subnet and vlan switch 2 services subnet


What I need to do is allow traffic between the two subnets.


When I set up firewall policies to allow traffic between source vlan switch 2 destination vlan switch 1, I can ping and access from the subnet, but I can't see any of the other devices/ips on the subnet.  Same thing with firewall policy source vlan switch 1 destination vlan switch 2.


Firewall policies:


Fortinet_Gateway (14) # show
config firewall policy
edit 14
set name "Vlan1"
set uuid 3961879a-900e-51ee-e003-307188be460d
set srcintf "internal"
set dstintf "Internal wan2"
set action accept
set srcaddr "internal"
set dstaddr "Internal wan2 address"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set nat enable

Fortinet_Gateway # config firewall policy

Fortinet_Gateway (policy) # edit 15

Fortinet_Gateway (15) # show
config firewall policy
edit 15
set name "Vlan2"
set uuid 6964594a-900e-51ee-fb76-e2b129d79f1e
set srcintf "Internal wan2"
set dstintf "internal"
set action accept
set srcaddr "Internal wan2 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set comments " (Copy of InterVlan)"


Ok, so what am I doing wrong here?



New Contributor

Fortinet_Gateway (internal) # show
config system interface
edit "internal"
set vdom "root"
set ip
set allowaccess ping https ssh fgfm fabric
set type hard-switch
set stp enable
set role lan
set snmp-index 15


The only configured route is from internal1 to wan1 with a corresponding policy route.


Devices connected to internal can properly access the internet.



Then you should run a sniffer and traffic flow to see if the traffic is matching the policy and is leaving FGT interface internal wan2.

Please check this articles:

diag debug reset

diag debug console timestamp enable

diag debug flow show iprope enable

diag debug flow filter addr <IP>  <----- Filter for source IP

diag debug flow trace start 20000

diag debug flow filter port 80 443

diag debug enable


diag sniffer packet any "host <IP>" 6 0 l


- Happy to help, hit like and accept the solution -
Top Kudoed Authors