I was wondering if it is possible to use a zone that is blocking intra-zone traffic and create policies to only allow some specific trafic between the interface members of the zone? Or is the "Block intra-zone traffic" an all-or-nothing options?
Something like this:
Source interface: ZONE
Destination interface: ZONE
Source IP: SOME_SERVER
Destination IP: SOME_OTHER_DEVICE
This post seems to imply that this is (or was) possible but I just can't get it to work: [link]https://forum.fortinet.com/tm.aspx?m=115382[/link]
The idea is that we are redesigning a network with 90+ remote site connected through VPN with 10+ interface each. Almost all of these remote interfaces have no needs to communicate between them except some device that needs communication between the interface. If we could create one zone, blocking traffic globally then only allow some services would be much easier to manage in the long run than creating 4-5 zones and having to create rules for all of them to communicate with the VPN.
Any one has an idea?
Pierre,
It seems to me like this should work, no problem. I've only done zone-to-zone rules once or twice, but it worked fine for me. Maybe there's something else going on related to the VPN specifically?
What do the logs tell you? I don't know if you have a FortiAnalyzer, but we log *everything* to it and it saves our bacon constantly when something goes wrong.
- Daniel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1787 | |
1117 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.