Traffic from new VLAN interface in Zone gets blocked

bluemerle · ‎08-28-2025

I have a zone on the FortiGate named "VPN Zone", which includes both SSL-VPN and IPsec.

We are now testing a ZTNA appliance that is connected via the X1 interface -> VLAN 101.

I added the VLAN 101 interface to the existing "VPN Zone" and included its subnet in the existing rules.

As a result, LAN clients can communicate with devices inside VLAN 101. However, devices inside VLAN 101 are being blocked by the FortiGate from accessing LAN.

FortiAnalyzer reports that the traffic is blocked by policy ID 0, showing the source interface as "VLAN 101". This makes sense, since there are no explicit policies referencing that interface, only the zone.

and idea why the existing permit rules for the zone do not trigger for VLAN 101 outgoing? but incomming is fine?

FG200F v7.4.8

bluemerle · ‎09-01-2025

Got it working by moving the clients to another subnet and using the VLAN101 as a transport net. So the fault was the appliance assigning IPs to the VLAN101.

View solution in original post

AEK · ‎08-28-2025

FortiOS doesn't allow you to mix SSL VPN interface with other interface type.

You put it in a zone means somehow you are trying to fool him, but FortiOS can't be fooled so easily ;)

Try remove SSL VPN from the zone (use separate policy) and it should work.

AEK

bluemerle · ‎09-01-2025

Got it working by moving the clients to another subnet and using the VLAN101 as a transport net. So the fault was the appliance assigning IPs to the VLAN101.

Traffic from new VLAN interface in Zone gets blocked

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website