Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
StangelmayerIT
New Contributor

Block intra network traffic

Hello,

 

i have the following issue.

We are using a Fortigate 500E and our interface port 5 is configured as DMZ.

We want to block the intra DMZ traffic between the servers with a few exceptions. 

I found the VLAN restriction using the CLI command switch-controller-access-vlan but the DMZ is an interface, not a VLAN.

How can we do this?

 

Thanks in advance and best regards,

Dominik Gronau

9 REPLIES 9
akristof
Staff
Staff

Hello,

 

Thank you for your question. If you want to block only traffic between servers that are in same network as dmz interface port5, you will not be. Because in that case traffic between servers is staying in local lan, not reaching FortiGate.

If you have multiple DMZ interfaces and you want to block this traffic (port5 to port6 for example), then normal IPv4 firewall policy will do the trick.

Adrian
StangelmayerIT

Hello Adrian,

 

thanks for your response. That's what i thought, my hope was that there is a possibility like the internal blocking of vlan clients

 

Best regards,

Dominik Gronau

akristof

Hello,

 

I am still not sure which scenario you have. If first when you want to block traffic on same subnet, then FortiGate is not able to block traffic that it doesn't see. So only if you would force all traffic traversing via FortiGate, then you can play with it. But you would need to do some subnet splitting, multiple subnets, etc, which is usually not wanted.

Adrian
Debbie_FTNT

Hey Dominik,

if the DMZ servers are on different vlans, and you have a number of VLAN interfaces on port5, then policies can be applied again, as you're dealing with traffic between interfaces. But the traffic between your DMZ servers MUST reach the FortiGate for it to block anything. If the traffic does not go through the FortiGate, FortiGate has no effect on it.

You might be able to implement something from FortiGate if you have a FortiSwitch between the DMZ servers and FortiGate manages the FortiSwitch, or you have a third-party switch enforcing vlans to isolate the servers from each other, and then, using VLAN interfaces on FortiGate, you can ensure traffic is blocked by default and only allow specific connections.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
StangelmayerIT

Hello,

 

yeah we wanted to block the communication between the DMZ servers but decided to create a seperate VLAN with the intra VLAN blocking active. 

 

That should work referring to the Fortinet Document Library 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/85f6d214-7c18-11e9-81a4-005056...

Page 57

 

VLAN is created an configured and i wanted to enable the switch-access  but i recieve an return Code -61

 

FG-XXX # config system interface
FG-XXX (interface) # edit VLAN0026
FG-XXX (VLAN0026) # set switch-controller-access-vlan enable

command parse error before 'switch-controller-access-vlan'
Command fail. Return code -61

 

someone knows how to fix this issue? i hade to write the command, autocomplete failed.

 

Best regards,

Dominik Gronau

Debbie_FTNT

Hey Dominik,

first - is a FortiSwitch set up behind the FortiGate's DMZ interface, or do you have a third-party switch set up there?
-> if third-party, then you need to set up VLANs and tagging there. On the FortiGate, simply create multiple VLAN interfaces on top of the DMZ interface, and then do your policies between the VLAN interfaces (FortiGate will associate traffic with specific VLAN  interfaces based on VLAN tag; untagged traffic will be considered to belong to the physical DMZ interface)
-> if it's a FortiSwitch - what firmware is your FortiGate, and what firmware is your FortiSwitch? The guide is written for 6.0, and a number of CLI commands have changed since then

 

The access VLAN configuration you pointed to is primarily intended for connecting new devices on a switch port - a new device connects, it goes into the access VLAN and can ONLY speak to FortiGate, FortiGate determines what VLAN is appropriate, and shifts the device into that (other) VLAN (where it could speak to devices in the same VLAN without going through FortiGate).

I'm not entirely sure if that is what you're looking for? From your updates above, it sounded a lot as if you want to have the servers in fixed, separate VLANs and handle all access between VLANs through FortiGate.
As long as the servers ARE actually in different VLANs, all the traffic must go through FortiGate and policies anyway; FortiSwitch (or any switch with VLAN capabilities) should not allow cross-vlan traffic, and the access-vlan configuration should not be necessary

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
StangelmayerIT

Hello Debbie,

 

thanks for your response. we are currently using a Fortigate 500E with firmware v6.0.11 build0387, update planned. 

I'm looking for a possibility of blocking the communication between the servers/clients inside the same network/vlan, e.g.client A 192.168.100.10/24 and client B 192.168.100.11/24.

I'm aware of the fact that inside the same network clients communicate without crossing the firewall so the classic policy would never be applied. 

my hope was, that there would be an option in the fortigate to block all traffic inside this network except we have a policy active. 

i thought maybe the switch access active on that specific vlan would do the job.

 

Best regards,

Dominik

StangelmayerIT

p.s. i know we could create multiple vlans to achieve this but i thought there has to be a better way 

Debbie_FTNT

Hey Dominik
the access-vlan setting could perhaps accomplish that, but it does rely on a FortiSwitch, and probably some setup to NOT place connected devices into the same VLAN.
If your switch/infrastructure between the servers is not a FortiSwitch and/or does not direct all traffic towards the FortiGate instead of just switching inside it, then there is very little you can do.
If you absolutely do NOT want to use VLANs, you can maybe do a setup with secondary IPs on the DMZ interface, and have each server in a separate subnet with the FGT interface (secondary) IP of that subnet as gateway, and policies from DMZ to DMZ interface
There would be a limitation as FortiGate interface can only have up to six IPs, I believe, but technically it might achieve what you're looking for.
VLANs would be a lot cleaner, though.
The main challenge would be to get whatever switch/infrastructure you have to even forward the traffic to FortiGate, so FortiGate can influence it.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors