Hi to everybody,
I' ve the following situation:
There are about 10 AccessPoints with a static IP and the clients
get their IP addresses from the Fortigate device, which is acting as
DHCP-Server. Everything is in the same subnet.
So far it works.
Now I want to block the traffic for a certain time for the clients which
are associated to 3 of the 10 Access Points, the other clients which are associated over the other 7 APs shouldn' t be blocked.
How can I realize this? I tried to set a policy with scheduler which blocks those 3 APs, but the associated clients get their IP from Firewall, so the traffic isn' t blocked for those clients.
Is there any possibility to do this?
thanks in advice,
It would help us if you can tell us which firmware is running on the fgt and whether or not the wifi connection is merged into the internal internet (aka soft switch) or on a separate interface.
Basically to set up what you are requesting (under 4.0 MR3) requires assigning static IP addresses to the wireless clients, which can be done via the DHCP server (reserving IPs to the same MAC addresses).
After this you create firewall object labels for each of those static IPs and then group them together. Next would be to create a schedule for the time.
Last would to create the firewall policy using the firewall group you created above as the source address, set the schedule time and action to block.
Move this " blocking" policy up in the firewall rules so it is triggered.
Much of the above info can be found in the Cookbook.
first thanks for your reply!
Sorry, I forgot to add the Firmware, I' m running the v4 mr3 with patch 15.
This is not exactly that what I need. If I block those IPs, they aren' t able to
access to the other AccessPoints too. I' d like to block only the access to the internet
from 3 Access Points, while the other 7 are working normally.
So if I ,for example, are in front of AccessPoint nr.1 (1 to 3 should be blocked)
I can' t access to the internet. If I go now to AccessPoint 6 (4 to 6 shouldn' t be blocked) I get access to internet always with the same Notebook or mobile.
I hope I didn' t forget something this time :-)
Thanks in advice,
Yes, I requested whether or not the wifi connection(s) (the 10 APs) are merged into the internal internet (aka soft switch) or on separate interface(s) or zones.
A screen shot of the firewall policy section (showing the 10 APs) would help.
But what you are asking I think can only be implemented if those 3 APs are placed into their own zone.
The APs are in the same internal internet.
At the moment I made only some tests, so I can' t make any screenshot.
How you said, I also thought about to create a seperate zone for those
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.