Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AHJARR
New Contributor II

Created on ‎11-26-2024 07:46 AM

Override FortiGate block-intra vlan traffic

Hello guys!

Override FortiGate block-intra vlan traffic.

Is it possible to override  block-intra vlan I have two client on the same subnet need to talk with each other. But in the same time I will like to block anything else to reach each other is it possible to do so.

 

Thank you 

 

750
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-26-2024 07:59 AM

I would try what the NOTE in the admin guide says:
https://community.fortinet.com/t5/Support-Forum/Override-FortiGate-block-intra-vlan-traffic/m-p/3601...

Toshi

733
0 Kudos
AHJARR
New Contributor II
In response to Toshi_Esumi

Created on ‎11-26-2024 02:13 PM

Hello @Toshi_Esumi Thank you for your reply.

What do you mean by try the note in the admin guide?

648
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to AHJARR

Created on ‎11-26-2024 02:18 PM

Sorry. I pasted a wrong link.
https://docs.fortinet.com/document/fortiswitch/7.4.5/fortilink-guide/801169/blocking-intra-vlan-traf...

The NOTE is below but basically the same with what @AEK said.

When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the config system proxy-arp CLI command and configure a firewall policy. For example:

 

config system proxy-arp

edit 1

set interface "V100"

set ip 1.1.1.1

set end-ip 1.1.1.200

next

end

 

config firewall policy

edit 4

set name "Allow intra-VLAN traffic"

set srcintf "V100"

set dstintf "V100"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

next

end

 

638
AEK
SuperUser
SuperUser

Created on ‎11-26-2024 08:22 AM

Hi

Did you try to enable block-intra-VLAN traffic, then create a firewall policy to allow only the required traffic, like this:

  • Src intf: VLAN-X
  • Dst intf: VLAN-X (same)
  • Src: Client1-IP
  • Dst: Client2-IP
  • Service: ping, ...etc

Hope it helps.

AEK
AEK
715
AHJARR
New Contributor II
In response to AEK

Created on ‎11-26-2024 02:12 PM

Hi @AEK Thank you for your reply 

I have already tried that doesn't work):

650
0 Kudos
FredPaul
New Contributor III

Created on ‎11-26-2024 02:30 PM

Is this what you're looking for?

https://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/801169/blocking-intr...


-Fredrik
-Fredrik
611
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.