Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Firewall a VLAN

Hi, We are currently running with a pair of 201E Firewalls running in NAT mode. These are currently setup with 2 interfaces LAN and WAN, which just basically firewalls traffic from lan to wan (Internet) and vise versa.

We are now looking to firewall a vlan from the rest of the network. So the idea is to push traffic from this vlan through this new interface and then out through the LAN interface back into the network.

So we have setup another interface with an IP in this vlan (VLAN710) which is connected to our core switch. The core contains the gateway address for this vlan. This interface is pingable from the core and any other machine within this vlan but not outside of this vlan. I can see this as a connected route on the FW. I'm guessing its a routing issue on the FW but cant figure out what is needed. We already have static routes in place to push internal subnets through the LAN interface which is what we want. If someone could help or point me in the right direction would be great.


Valued Contributor

Do you have policies allowing ping from your LAN interface to your VLAN interface?  If not, the problem might be that simple.  From your explanation though you might also be having some trouble with asymmetric routing but I might just be misreading what you wrote (you said your core has the gateway address, which is not possible while simultaneously firewalling off the VLAN).


It sounds like what you're describing is essentially a DMZ, so that's a pretty common config.  I actually use my FGT as the default gateway for the majority of my user- and IoT-facing VLANs so that I have the ability to restrict east/west traffic.


So the core has the gateway for this vlan and I was setting a static route on the core to pass this vlan traffic to the interface on the FGT.  Does the FGT interface then need to be the gateway for this?


Absolutely.  You're not really firewalling anything if your core can route packets in/out of that VLAN to other members of the LAN.  That static route on your core is going to be ignored anyway since it has a connected route to that subnet.


OK that makes more sense!

Thanks for the help

Top Kudoed Authors