Created on 10-18-2023 09:42 PM Edited on 02-28-2024 12:04 AM By Jean-Philippe_P
Description | This article describes how to allow or block intra-traffic in the zone. |
Scope | FortiGate. |
Solution |
It is possible to allow or block intra-zone traffic by enabling or disabling the 'Block intra-zone traffic' option.
It is also possible to enable or disable from the CLI:
config system zone
To control further, it is possible to 'set intrazone allow' for the zone and then add firewall policies to block some traffic. For example, it is possible to block traffic from one direction port1-->port4, and allow the opposite direction from port4 to port1 inside the zone.
The firewall policy will need to be created with the same zone as its src and dst interface in the same policy. If the option 'set intrazone allow' is configured (all intrazone traffic is explicitly allowed) then there is no need for a firewall rule to allow that traffic between source IP and destination IP located in the same zone.
During troubleshooting, 'debug flow' will not show any messages, it is possible to track the connection only using 'diagnose sniffer' and filter by session list. Example of session list for a session between 2 hosts in the same zone when 'set intrazone allow' is configured (hosts are located behind 2 different interfaces but in the same zone) :
session info: proto=6 proto_state=01 duration=27 expire=3591 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.