Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jfrye
Visitor

Created on ‎10-01-2024 12:45 PM

OT segregation with intervlan traffic

I am trying to use a fortigate 60F to segregate my OT network, so SCADA from ICS.  I already have switches in place, so trying to use what is there.  Currently testing on the bench, with 2 managed switches connected to the FGT, each switch represents one VLAN, as below:

 

VLAN 10 - 10.1.0.0/24

VLAN 11 - 10.1.1.0/24

 

I have assigned physical interfaces (left at 0.0.0.0/0) to VLAN switches (as above). 

Alternatively assigned VLAN interfaces to the physical interfaces (0.0.0.0/0 again).

Both with bidirectional firewall policies.

 

Using VLAN switches, which was the best result, I can link to one switch, and get to the FGT but not to a device or other switch in the other VLAN; the FGT can ping devices on either VLAN.  What am I missing?  Thanks.

Screenshot 2024-10-01 153123.pngScreenshot 2024-10-01 153047.png

 

Labels:
49
0 Kudos
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎10-01-2024 02:09 PM

Which interfaces did you put in ICS Zone and SCADA Zone? Can you share a screenshot of the those interfaces' config?

On the other hand (but not related to your issue) I don't think it is a good idea to NAT the traffic, unless you have a good reason.

AEK
AEK
29
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.