I need to block on server from communicating with another one within the same subnet. How would I do that from our FGT?
Likely the best way to do this is from the machine's own firewall settings. Technically, the Fortigate can only control/restrict traffic if that traffic is going through it; if you have two machines on the internal network, communicating via switches or both are on the same switch, the Fortigate may not even see that traffic. If the Fortigate was set in transparency mode you may have better options.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Makes sense. Thank you for responding.
If you change the server's IP address to some value outside of the (common) subnet, and specify the FGT to be the gateway for this, all traffic to and from the server has to cross the FGT. You would create an 'internal -> internal' policy and have control over the routed traffic.
Think of the consequences and if nothing else stands in the way, it's feasable.
Hi all
this what is written here is not 100% sure which means following:
- What is the reason behind that on a standard configuration on a FGT clients/server within the same subnet can comunicate each othere without going over the FGT?
The answer is following which means following command:
# config system interface
# edit [Name of the interface]
# set icmp-redirect enable
# end
This means "icmp-redirect" is enabled by default WHY? If y client A connected to the FGT and request's client B in the same subnet as client A what happens exactly (in a very short overview):
--> Client A request Client B with ARP Request because no ARP available local ("who has")
--> ARP request is reaching the FGT (Default GW IP of FGT) and FGT is Broadcasting itsefl "who has".
--> Client B is answer to FGT "I am" (including MAC Address)
--> FGT send's "icmp-redirect" to Client A including the MAC Address and information of "icmp-redirect" which means actually:
Here is the information "MAC/IP" and please Client B is in same subnet as you do not come to me go direct!
This is the reason the traffic goes not over the firewall because "icmp-redirect" is enabled Client A/B can comunicate direct and you do not need any Firewall Policy on the FGT. If you like to prevent this disable "icmp-redirect" and the FGT does not send to Client A a "icmp-redirect" and the traffic will go over the FGT (because of Default Gateway points the client to FGT) and you HAVE TO implement a Firewall Policy which allows traffic from Client A to B and viserverse etc. Of course if "icmp-redirect" is disabled and if Client A makes a static ARP entry of Client B local the traffic would also go direct and not over the FGT.
This in short words/overview why or what is responsible that intercomunication between clients within a subent directly connected to the FGT is possible or not as needs or not a Firewall Policy on a FGT. Be careful if you disable "icmp-redirect" and be aware that ALL traffic within a subnet is going over the FGT (performance).
hope this helps
have fun
Andrea
I disagree, simply because of a PCs routing table. All traffic destined for the local subnet uses the local IP as the gateway.
C:\Users\rpatterson>netstat -r ... IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.151.250 192.168.151.121 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.151.0 255.255.255.0 On-link 192.168.151.121 266 192.168.151.121 255.255.255.255 On-link 192.168.151.121 266 192.168.151.255 255.255.255.255 On-link 192.168.151.121 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.151.121 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.151.121 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.131.24.4 Default 0.0.0.0 0.0.0.0 192.168.151.250 Default =========================================================================== ...
Basically, the Fortigate is removed from the routing equation by the local device.
My two cents...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Let's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave Hall wrote:AgreedLet's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.