I have a "Local LAN Zone" zone that does not have block intra-zone traffic enabled. The only policy involving this zone is a basic "internet out" policy for from "Local LAN Zone" to "wan1". In this this zone is VLAN.2 interface which is assigned to all of my FSW ports which is connected to the FGT using FortiLink.
Under the default behavior on 6.0.5, all of the devices on VLAN.2 can reach (ie. ping) to devices on VLAN 2. without needing any extra policies to allow this. The "internet out" policy allows these devices to get to the internet.
I have a FAP-221E managed by the FGT and I created a tunnel mode SSID. I added this SSID interface into "Local LAN Zone" and the WiFi clients can on this SSID can get to the internet but they cannot reach (ie. ping) any devices on VLAN.2 which is part of the same zone.
Is this expected behavior given that the tunnel modem SSID has a different network segment, or should the fact that intra-zone traffic is not blocked allow WiFi clients to reach (ie. ping) the wired clients on VLAN.2 because they are part of the same zone?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No, I wouldn't expect that. Because we do the same for our corp SSID (tunnel mode/separate subnet) and can reach printers, a domain controller, and other devices in different subnets on the LAN, but in the same zone together. We separate GuestWiFi to a different zone so that would require a policy if we want to allow the guest users to use local resources, but so far we haven't had to.
So you need to sniff and "flow debug" traffic coming from the wifi toward LAN. When I tested myself (flow debug) I saw: msg="Allowed by Policy-4294967295:", which I assume referencing the "set intrazone allow" in the zone config, instead of referencing a regular policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1099 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.