Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
obi
New Contributor

Block traffic Internal to Internal

Hi, I have 2 address ranges: A 192.168.1.[1-10] and B 192.168.1.[30-60]. Now I made a Policy where I deny any traffic from A to B. Source Interface: Internal Source Address: 192.168.1.[1-10] Destination Interface: Internal Destination Address: 192.168.1.[30-60] Schedule: always Service: ANY Action: DENY Unfortunately the rule doesn' t work. There are some switches between, the PCs and the firewall. Dows anyone know why I can' t block the traffic or only some services from one internal IP/range to another or what am I doing wrong? I have a FG110C with firmware 4.0 MR3 Patch 15 Thanks in advice, obi
18 REPLIES 18
ede_pfau
Esteemed Contributor III

Yes, exactly. It works, I' ve set this up some time ago to test it.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
danto
New Contributor

Hi, if the subnets are different it will work and the traffic will be routed through the Fortigate, however in this case it will not. It is basic rule of networking. If the addresses are in the same subnet the traffic will flow between the hosts directly, no gateway, no routing involved, and for that reason the firewall rules will not have any effect.
There is no patch for human stupidity...
There is no patch for human stupidity...
emnoc
Esteemed Contributor III

Agreed Your trying to use a L3 device to filter something that involving L2. A packet capture and diag debug flow will easily show you that rule is not going to be match.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Anyone read my post from October 29? Same statement, and one suggestion how to solve this. IMHO there is nothing else necessary for such a simple topic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bongbk
New Contributor

I have the same problem. i would like block trafic between ip range 192.168.10.0/24 to 192.168.20.0/24 in internal. 

I set rule :

Source Interface: Internal Source Address: 192.168.10.0/24 Destination Interface: Internal Destination Address: 192.168.20.0/24  Schedule: always Service: ANY Action: DENY

 

It is 2 distinct IP ranges network. But it's not work. Please give me advices. thanks in advance 

emnoc
Esteemed Contributor III

The diag debug flow is your friend. I'm surprise to see this thread still around, back to  the topic if you want to use one interface "internal" and carry two unique subnets then just use secondaries and then this firewall policy would work. But two hosts on the same subnet ( layer2 ) is not going to be controlled by a simple layer3  firewall-policy this is network 101

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Jeez. Thread is 3 years old and was ANSWERED.

@emnoc: using secondary IPs is just for implicitely creating routes, to avoid Reverse Path checks/drops. You can create static routes to both subnets as well to achieve this.

 

If the FGT is the (only) router, and the subnets do not overlap, and there's no policy allowing this traffic then there will be no traffic allowed. You can even leave out the policy altogether - implicit deny / policy 0 will take care of that.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
go4it
New Contributor

Hi Obi,

 

If am not wrong, you cannot do this.

If your Fortigate is in Nat/router mode, there is a switch between al ports in Internal.

Firewall policies only work if packes are routed.

I propose to make separate subnets.

 

gr,

go4it

 

ede_pfau
Esteemed Contributor III

@go4it:

How is 192.168.10.0/24 and 192.168.20.0/24 not separate subnets??


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors