Hello everyone. I have a Fortigate in which, with 2 physical interfaces, I have created a software switch.
In that switch I have created some Vlans with IP. Traffic between those Vlans doesn't work without policies, which is what I'm looking for. Its ok.
However I have read about intra-switch-policy explicit and have verified that the policies that work are between the interfaces that make up the software switch. On the other hand, the IP, I give it to the switch software instead of the vlans. I have not been able to ping any Vlan within the software switch with the intra-switch-policy explicit command. It doesn't work even allowing , into permit all policys, the Vlans that I create and the physical interfaces of the switch software. I can Only ping traffic between the interfaces of the software switch, wich have the same IP.
So what I want is the first option, which works just the way I want it to. But I wonder if this way of configuring the switch software could give me security problems. And if I can't reach the IP of the Vlans of the switch software because I'm doing something wrong (despite having tried everything).
Is it possible to connect to the ip of the vlans of the switch software in an explicit mod or with this mode you can only make rules between the ports that make it up? Thank you ¡¡¡
If you just want to control inter-VLAN routing then you are fine as-is.
If you want to control intra-VLAN (that is traffic within the same VLAN) you need to make some changes.
Let's just review fundamental networking concepts before we move on. You are suprised that VLAN 50 is passing through but you should not be. If the two switches were connected together directly (without FGT in the middle) and you were not doing any VLAN pruning on the trunk interface then the behaviour would be exactly the same: VLAN50 tagged packets would travel across the trunk no problem. There would be no filtering. The connections to the FortiGate is just a VLAN trunk—no pruning and no filtering on L2.
Once you create the VLAN interfaces on the FortiGate you are now able to control traffic at L3; that is, inter-VLAN traffic.
Is this what you want?
Also, one thing to note is that a software switch will push all network processing to the CPU and not use the NP ASIC. Depending on your FGT model this could case serious performance issues. Do you have the ability to create a hardware switch on your FGT model? Or do you have the abiltiy to change your topology? Can the second switch be daisy-chained off the first switch?
If you are trying to reach from VLAN2 > SoftwareSwitch via ping (VLAN2 is bounded to SoftwareSwitch), you will still need firewall policy from Vlan2 to softwareSwitch. Maybe I don't understand entirely what is not working. I would recommend to share packet capture for the ICMP ping that is failing and you can also do debug flow. Then we will have better idea what is exactly not working and which traffic flow does not work.
Explicit intra-switch-policy does not have direct effect on if some traffic will work or not (except the fact that you need to have valid policies).
I must apologize, I don't speak English well and it's hard for me to explain myself.
What really amazes me about the switch software is the way it works. I have done a lab and I have verified that if you connect a device to a port that sends 802.1q traffic in VLAN 50 and another port on the same software switch that sends 802.1q tagged traffic in Vlan 50 they can communicate with each other without creating the VLAN in the switch software (no gateway needed). The software switch does not look at the tag and the traffic passes even if you have several vlans created in the switch software.
However, if we want to route the VLANS with others from the switch software, or other firewall ports, it does distinguish the VLANs. When you are routing traffic distinguishes the tagg.
That's why I was wondering if explicit mode might be more recommended, but I've read that in that mode you can only make rules for traffic coming through the software switch ports, between them. But not with other Firewall ports. Therefore, this option is not valid for me and I will have to understand how the switch software works in level 2 since it seems that if there is no routing, it communicates everything that happens between its ports regardless of anything. Similar to a HUB?
I really appreciate your help and I will continue investigating to see if I can understand and get used to the fact that the traffic that goes through it, at level 2, seems to not take the label into account and see if this could pose a security problem between the Vlans created in the switch software, to route between them with policies through the firewall, which will be the gateway for each of them.
You are describing the basic functionality of a switch. Packets with the same 802.1q VLAN tags will be forwarded between ports that exist in VLAN50. If your software switch has VLAN50 configured then yes of course the FortiGate will just forward those packets between interfaces.
The only thing intra-switch-policy explicit does it prevent that default switch behaviour and reuqires you to have FW policies defined even for devices in the same VLAN.
When intra-switch-policy explicit is enabled you will not be able to ping the L3 interface on the FW (it acts like a transparent mode FW—all layer 2, no layer 3).
Each switch has several VLANS defined bypassing the trunk ports. The 2 switches and the firewall have the same vlans defined and the Layer 3 of each vlan is defined in to the software switch (the gateway). VLAN 50 is defined in both switches, but is not defined in software switch.
The goal is that there are servers from the Vlans at both ends, on both switches, and the traffic between the different vlans is controlled by the firewall with policies. That is why the gateway of each vlan is in the software switch. The vlans needs to communicate with each other and also with other ports in the firewall.
Effectively all traffic will be forwarded regardless of 802.1q tagging between port1 and por2 when no routing occurs with no vlan defined. And that's what it took me to understand. Maybe it's my misconception, but I was surprised that the tagged traffic passes between the 2 ports without a defined vlan and, on the other hand, the packet enters in to de firewall using port1 and leaves port2 keeping the tag of the Vlan 50 not defined in to the software switch.
That is why I thought of defining an explicit switch port, but I have seen that it could not communicate the traffic it generates with other firewall ports.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.