I have a physical interface "internal1" with 3 subinterfaces.
I have another physical interface "internal2".
If i want to create firewall rule to allow traffic from "internal1" to "internal2",
do i have to create 1 firewall rule only or i have to do 3 firewall rules?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In your case, if you have a physical interface "internal1" with three subinterfaces (let's call them Sub1, Sub2, and Sub3), and another physical interface "internal2," you would need to create three firewall rules to allow traffic from each subinterface of "internal1" to "internal2."
Policy1
Source Interface: internal1:Sub1 Destination Interface: internal2 Action: Allow
Policy2
Source Interface: internal1:Sub2 Destination Interface: internal2 Action: Allow
Policy3
Source Interface: internal1:Sub3 Destination Interface: internal2 Action: Allow
Each rule specifies the source and destination interfaces, allowing traffic between the specified subinterfaces on "internal1" and "internal2." This approach ensures that you have control over traffic between each pair of subinterfaces.
A firewall policy for "internal-X" will not match traffic for any of its sub-interfaces. "internal-X" and its sub-interfaces are independent logical interfaces, and any permutation of A->B traffic flow must be addressed with a firewall policy for specifically A->B.
The only exception would be using "any" as a source/destination interface in a policy, or if you were to select multiple interfaces as source/destination in a policy. (this needs to be enabled in Feature Visibility first for the GUI to allow it)
Hi @BusinessUser,
You can run sniffer to identify the flow of the traffic if it is just from internal1 to 2, then you will not need the sub-interface policy.
Hi @BusinessUser,
I believe internal1 and its 3 subinterfaces are in different subnets/VLANs. It depends which subnets you want to allow to access internal2, you need to create a firewall policy for that interface.
Regards,
I'd go for one rule covering all subinterfaces on "internal1". Keeps things simple and less maintenance. Just make sure the rule applies to all traffic between "internal1" and "internal2".
In your case, if you have a physical interface "internal1" with three subinterfaces (let's call them Sub1, Sub2, and Sub3), and another physical interface "internal2," you would need to create three firewall rules to allow traffic from each subinterface of "internal1" to "internal2."
Policy1
Source Interface: internal1:Sub1 Destination Interface: internal2 Action: Allow
Policy2
Source Interface: internal1:Sub2 Destination Interface: internal2 Action: Allow
Policy3
Source Interface: internal1:Sub3 Destination Interface: internal2 Action: Allow
Each rule specifies the source and destination interfaces, allowing traffic between the specified subinterfaces on "internal1" and "internal2." This approach ensures that you have control over traffic between each pair of subinterfaces.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.