We have this FortiGate 40F that has been set up in a certain way buy we're not entirely sure if it actually does what we expect it to do.
We have a small office with a main tenant and a subtenant. Their networks should be separated.
Also there is a guest network that should of course also be separated from the other two.
Main tenant operates on 192.168.54.0, subtenant on 192.168.41.0 and guest network is 192.168.31.0
I attached some screenshots from the FortiGate UI. Is it possible to tell from those screenshots if those three "areas" are separated from each other so that for example a device in 192.168.41.0 can't connect to anything in the 192.168.54.0 area?
Switch is some UniFi product that has the ports that are used in the subtenant's part of the office set up with the corresponding VLAN ID. The guest WiFi does the same.
On first sight it seems to do as it should, meaning the subtenants receive IPs from the 192.168.41.0 range if they plug in and the devices on the guest WiFi receive IPs from the 192.168.31.0 range.
However I've read that VLANs aren't actually separated "by default" and that devices from the different VLANs can interact with each other. If this is true, the setup would only be "cosmetically" fine (different areas have different IP ranges) but the intended security aspect wouldn't be met.
If it's just a L3 router, those VLAN interfaces can talk each others. That's the purpose of routers to connect networks.
The FortiGate is a firewall with L3 router features. Without policies like lan<->XXXerdhcp, lan<->guestdhcp, etc. they cannot talk each others. That's the purpose of firewall to restrict/control traffic between connected networks.
That's the situation what I meant in "Without policies like lan<->XXXerdhcp..." above. You just need to add a policy to allow XXXerdhcp->lan to the printer's address. One direction should be suffice since printer access is generally one way.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.