Ok first my firewall works as is but I don't think it's setup right. My internal network is a /18 and the LAN is a /24 contained in that /18. I have the /18 setup as a static route on the LAN network. Basically pointing the /18 route at the L3 Meraki switch I have behind the firewalls.
All the rules work as is today BUT on inbound rules I have to leave To = any. I still set the From, Source and Destination. On outbound rules I'm able to set all 4 From To Source Destination. If I set the To on the inbound rule the rule doesn't work. Should my LAN interface be configured as a 255.255.192.0 instead of a 255.255.255.0?
Hi @Bovie2k,
Please provide more details about your issue. Please provide screenshot if possible.
Regards,
@hbac Sure here we go
Here is the Interface on a /24
Here is my static route going to the L3 router which is contained on the Interface /24
Example Internet to DMZ where I can put in the from to source and destination
Example of Internet to Inside where I cannot put in the To I can have a source and destination but if I put in a to of my LAN traffic doesn't pass
Example of outbound from LAN this is where I'm fine to put the LAN as the From and it works fine.
Also you didn't explained why you have to have a /18 static route instead of a /24 route toward the Meraki L3 switch. Are there more subnets on the switch side in addition to the LAN subnet?
Toshi
@Toshi_Esumi thanks for the response. Yes there are tons of subnets within that /18 that the Meraki L3 switch routes to. Which is why I have the static route for the /18 if the IP is within that /18 send to the Meraki L3 and it routes it to the correct client usually though other L3 switches as we have multiple locations with Dark Fiber connected to the Meraki L3 switch.
Created on 02-05-2024 05:01 PM Edited on 02-05-2024 05:02 PM
Have you tried creating a new policy Internet-zone->(the VLAN interface name toward the Meraki SW) for that /24 detination only in addition to the existing policy Internet-zone->any then place it above the existing "to-any" policy?
I'm guessing one of those destination address objects in the policy has its belonging interface specified other than the VLAN interface.
Toshi
Toshi, good call it's not hitting that rule. Everything is identical for my test except the To. Its like it doesn't realize I'm in the To location.
Do I have to set the Interface on the Address Object to my To? Right now its Any.
Created on 02-05-2024 05:33 PM Edited on 02-05-2024 05:33 PM
I added a new destination object with the interface set and it still isn't using that ACL. FWIW my source object also as ANY as the interface.
We regulary don't specify the interface when creating ogjects but leave it "any". So that when we have to move the subnet to other interface, we don't have to change the address object itself.
Or, we regularly use routing protocols so the interface would change for the route based on the routing at that time. We have to use "any".
Toshi
I created new objects with the interface specified for the source and destination and it still doesn't hit the ACL above the working ACL. My only other idea is to change my LAN interface to a /18 but that feels wrong. I may open a case with support if there aren't other ideas. Thanks for the help anyways.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.