I have 2 address ranges: A 192.168.1.[1-10] and B 192.168.1.[30-60].
Now I made a Policy where I deny any traffic from A to B.
Source Interface: Internal
Source Address: 192.168.1.[1-10]
Destination Interface: Internal
Destination Address: 192.168.1.[30-60]
Unfortunately the rule doesn' t work.
There are some switches between, the PCs and the firewall.
Dows anyone know why I can' t block the traffic or only some services from one internal IP/range to another or what am I doing wrong?
I have a FG110C with firmware 4.0 MR3 Patch 15
Thanks in advice,
if the subnets are different it will work and the traffic will be routed through the Fortigate, however in this case it will not.
It is basic rule of networking. If the addresses are in the same subnet the traffic will flow between the hosts directly, no gateway, no routing involved, and for that reason the firewall rules will not have any effect.
The diag debug flow is your friend. I'm surprise to see this thread still around, back to the topic if you want to use one interface "internal" and carry two unique subnets then just use secondaries and then this firewall policy would work. But two hosts on the same subnet ( layer2 ) is not going to be controlled by a simple layer3 firewall-policy this is network 101
@emnoc: using secondary IPs is just for implicitely creating routes, to avoid Reverse Path checks/drops. You can create static routes to both subnets as well to achieve this.
If the FGT is the (only) router, and the subnets do not overlap, and there's no policy allowing this traffic then there will be no traffic allowed. You can even leave out the policy altogether - implicit deny / policy 0 will take care of that.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.