Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ASR
New Contributor

Created on ‎03-18-2024 07:42 AM

How does intra-switch-policy explicit work?

Hi all, I'm experiencing some issues with a software switch configuration.

 

To elaborate, I have two sets of interfaces (configured as 802.3ad Aggregate) named INT1 and INT2, both as members of a software switch.

The software switch has the option of Intra-switch policy Explicit enabled.

 

Within the software switch, I have defined a VLAN (100). However, when attempting to ping from a PC on VLAN 100 connected to INT1 to another PC on VLAN 100 connected to INT2, the connection doesn't work.

 

I'm aware of the need to specify a policy to permit traffic between the PCs, but every kind of test I have made has yielded no result.

 

Does anyone have any ideas on how the policy should be set?

 

Thank you,

Labels:
464
0 Kudos
8 REPLIES 8
ozkanaltas
Contributor III

Created on ‎03-18-2024 07:50 AM Edited on ‎03-18-2024 07:52 AM

Hello @ASR ,

 

If you want to clients communicate with each other in the same vlan. You need to change intra-switch policy from explicit to implicit. In your configuration (explicit) you need to configure firewall policy like a src vlan100 dst vlan100 for allowing intra-vlan traffic. 

 

You can find more information about the intra-switch policy in this link.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Software-switch-policy/ta-p/198381

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
458
0 Kudos
ASR
New Contributor

Created on ‎03-18-2024 09:05 AM

Hi Ozkanaltas, thank you for your suggestion.

I've already added a policy from VLAN100 to VLAN100 with no restrictions on source, destination, and service, but it's not working.

 

Is there something else I need to do to enable this kind of traffic?

 

Thanks,

418
0 Kudos
ozkanaltas
Contributor III
In response to ASR

Created on ‎03-18-2024 09:15 AM Edited on ‎03-18-2024 09:15 AM

Hi @ASR ,

 

Which do you prefer using the scenario? All traffic is allowed by the switch or you want to create a policy for this traffic.

 

If you want all traffic allowed in the switch, you can change your switch-intra policy from explicit to implicit.

 

set intra-switch-policy implicit

 

For the second scenario, can you run a traffic sniffer on CLI? After that can you try to reach from one client to another client?  Also, can you share output with us? 

 

diagnose sniffer packet any 'host x.x.x.x and host x.x.x.x' 4 a (You need to change x.x.x.x to the client IP address)

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
414
0 Kudos
hbac
Staff
Staff

Created on ‎03-19-2024 08:22 AM

Hi @ASR,

 

Are those 802.3ad Aggregate interfaces connected to FortiSwitches? You need to run packet sniffer to make sure traffic is reaching the FortiGate.

 

Regards, 

347
0 Kudos
ASR
New Contributor
In response to hbac

Created on ‎03-19-2024 08:34 AM Edited on ‎03-19-2024 08:36 AM

Hi @hbac, yes, we have two 802.3ad aggregate interfaces as members of the software switch. VLANs are defined within the software switch.

 

@ozkanaltas The strange thing is, I don't see any traffic (whether permitted or denied) from the two hosts behind the aggregate ports.

 

On which interface should I expect to view traffic? VLAN level, software switch level, or interface aggregate level?

 

Thank you

 

341
0 Kudos
hbac
Staff
Staff
In response to ASR

Created on ‎03-19-2024 08:37 AM

@ASR,

 

Since traffic is going to the same subnet, the switch will not forward it to the default gateway by default. Are you using FortiSwitch? 

 

Regards, 

338
0 Kudos
ASR
New Contributor
In response to hbac

Created on ‎03-19-2024 10:00 AM

No, it's configured on a Fortigate 400F, and behind the aggregate interfaces are Cisco switches.

 

It's set up with two trunk interfaces that are 802.3ad aggregates and members of a software switch. In a single stack configuration, it should resemble the following:

400.PNG

 

 

However with explicit configuration, I can't see any packets being transmitted between PC1 and PC2, and vice versa.

 

Regards,

307
0 Kudos
ozkanaltas
Contributor III
In response to ASR

Created on ‎03-19-2024 10:50 AM

Hello @ASR ,

 

I think the problem is in the aggregate configuration.

 

Why did you need the aggregate configuration? I think you don't need aggregate configuration on Fortigate. Anyway, software switching will use the relevant cables as if they were a single cable.

 

Did you configure aggregate configuration on Switch also? If you don't, aggregate not work with one side configuration.

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
298
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.