Hello!
I have several WLANs in Tunnel traffic mode (FortiAPs) with their own DHCP configuration, using external DNS.
Additionally, I have VLANs that use our internal domain DNS/DHCP.
The issue is that devices on these WLANs are attempting to communicate with devices on the VLANs (and vice versa).
For example, logs related to Windows Delivery Optimization (TCP/7680) show this activity. Since there are no policies allowing communication between these networks, my logs are getting filled with 'implicit deny' entries:
Same thing here:
I could be mistaken, but since the tunnel is sending WLAN traffic directly to my Fortigate, and the only policy in place is for outbound to the WAN, devices on different networks shouldn't be able to see each other, correct?
Where might the misconfig be?
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.
In that case any attempt from a client to access the other network may have one of the following reasons:
By monitoring the behavior you can understand which kind of case it is.
Hello
It depends on usage and requirements.
E.g.: A guest VLAN/WLAN is not supposed to see Corp VLAN/WLAN.
But between two Corp VLANs/WLANs you may want to allow some communication between clients like file sharing and so.
Hey @AEK,
I understand, but the issue is that devices from a tunnel WLAN are "seeing" devices on a corporate VLAN.
Correct me if I'm wrong:
With the WLAN set to Tunnel traffic mode, it should isolate the WLAN from other networks, shouldn't it?
However, this isn't happening as expected, as there are attempts to communicate between them, as shown in the logs above.
Hello
The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.
In that case any attempt from a client to access the other network may have one of the following reasons:
By monitoring the behavior you can understand which kind of case it is.
Alright. Just needed to confirm that. Thanks @AEK!
Created on 09-16-2024 11:30 AM Edited on 09-16-2024 11:47 AM
-
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.