Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
obi
New Contributor

Block traffic for certain IPs, scheduled

Hi to everybody, I' ve the following situation: There are about 10 AccessPoints with a static IP and the clients get their IP addresses from the Fortigate device, which is acting as DHCP-Server. Everything is in the same subnet. So far it works. Now I want to block the traffic for a certain time for the clients which are associated to 3 of the 10 Access Points, the other clients which are associated over the other 7 APs shouldn' t be blocked. How can I realize this? I tried to set a policy with scheduler which blocks those 3 APs, but the associated clients get their IP from Firewall, so the traffic isn' t blocked for those clients. Is there any possibility to do this? thanks in advice, obi
4 REPLIES 4
Dave_Hall
Honored Contributor

Hi Obi. It would help us if you can tell us which firmware is running on the fgt and whether or not the wifi connection is merged into the internal internet (aka soft switch) or on a separate interface. Basically to set up what you are requesting (under 4.0 MR3) requires assigning static IP addresses to the wireless clients, which can be done via the DHCP server (reserving IPs to the same MAC addresses). After this you create firewall object labels for each of those static IPs and then group them together. Next would be to create a schedule for the time. Last would to create the firewall policy using the firewall group you created above as the source address, set the schedule time and action to block. Move this " blocking" policy up in the firewall rules so it is triggered. Much of the above info can be found in the Cookbook.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
obi
New Contributor

Hi Dave, first thanks for your reply! Sorry, I forgot to add the Firmware, I' m running the v4 mr3 with patch 15. This is not exactly that what I need. If I block those IPs, they aren' t able to access to the other AccessPoints too. I' d like to block only the access to the internet from 3 Access Points, while the other 7 are working normally. So if I ,for example, are in front of AccessPoint nr.1 (1 to 3 should be blocked) I can' t access to the internet. If I go now to AccessPoint 6 (4 to 6 shouldn' t be blocked) I get access to internet always with the same Notebook or mobile. I hope I didn' t forget something this time :-) Thanks in advice, obi
Dave_Hall
Honored Contributor

I hope I didn' t forget something this time :)
Yes, I requested whether or not the wifi connection(s) (the 10 APs) are merged into the internal internet (aka soft switch) or on separate interface(s) or zones. A screen shot of the firewall policy section (showing the 10 APs) would help. But what you are asking I think can only be implemented if those 3 APs are placed into their own zone.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
obi
New Contributor

Sorry! The APs are in the same internal internet. At the moment I made only some tests, so I can' t make any screenshot. How you said, I also thought about to create a seperate zone for those 3 APs. Thanks, obi
Top Kudoed Authors