Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
obi
New Contributor

Block traffic Internal to Internal

Hi, I have 2 address ranges: A 192.168.1.[1-10] and B 192.168.1.[30-60]. Now I made a Policy where I deny any traffic from A to B. Source Interface: Internal Source Address: 192.168.1.[1-10] Destination Interface: Internal Destination Address: 192.168.1.[30-60] Schedule: always Service: ANY Action: DENY Unfortunately the rule doesn' t work. There are some switches between, the PCs and the firewall. Dows anyone know why I can' t block the traffic or only some services from one internal IP/range to another or what am I doing wrong? I have a FG110C with firmware 4.0 MR3 Patch 15 Thanks in advice, obi
18 REPLIES 18
ede_pfau
Esteemed Contributor III

hi, you have not included the network mask used. Assuming it' s /24 (=255.255.255.0), your hosts do not need to send traffic to your router (the FGT) - they can make direct connections. The FGT is not involved with this. If you want to control traffic between 2 groups of hosts you have to have 2 distinct IP ranges, like 192.168.1.[0-127] and .[128-255], with a network mask of /25. Then the FGT has to route between subnets and your policy would have an effect.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
obi
New Contributor

Hi, strange, if I try to add the subnet (/18 or /24) I get an error: " ... is not a valid IP Address" . Thanks, obi
rwpatterson
Valued Contributor III

Where are you trying to ' add' this?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
obi
New Contributor

Hi, I try to do this in " Firewall Objects" ->" Address" ->" Address" . There I select the range and when I try to add the subnet, I get this error.
ede_pfau
Esteemed Contributor III

It' s either address+netmask OR address range.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Either: 192.168.1.[0-127] and 192.168.1.[128-255] Or: 192.168.1.0/25 and 192.168.1.128/25

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Ramesh_M
New Contributor

Hi, The traffic will not come to the firewall, if the source and destinations are in behind the same interface. So it will not work...

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in
ede_pfau
Esteemed Contributor III

@Ramesh: it will. If the address ranges are distinct, and the default gateway on both LANs is the same FGT interface then the FGT can route between them. It has to have an ' internal' to ' internal' policy to allow this. That' s where you can control the traffic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Ramesh_M

You mean to say the hair pin kind of concept...

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in
Top Kudoed Authors