Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jbindra
Staff
Staff

Created on ‎10-18-2023 09:42 PM Edited on ‎02-28-2024 12:04 AM By Moderator

Article Id 279733

Technical Tip: Block or allow intra-zone traffic

Description This article describes how to allow or block intra-traffic in the zone.
Scope FortiGate.
Solution

It is possible to allow or block intra-zone traffic by enabling or disabling the 'Block intra-zone traffic' option.

 

zone.PNG

 

It is also possible to enable or disable from the CLI:

 

config system zone
    edit 'zone_name'   <--- Test in this case.
        set intrazone allow 

 

test1.PNG

 

To control further, it is possible to 'set intrazone allow' for the zone and then add firewall policies to block some traffic. 

For example, it is possible to block traffic from one direction port1-->port4, and allow the opposite direction from port4 to port1 inside the zone.

 

The firewall policy will need to be created with the same zone as its src and dst interface in the same policy.

If the option 'set intrazone allow' is configured (all intrazone traffic is explicitly allowed) then there is no need for a firewall rule to allow that traffic between source IP and destination IP located in the same zone.

 

During troubleshooting, 'debug flow' will not show any messages, it is possible to track the connection only using 'diagnose sniffer' and filter by session list. Example of session list for a session between 2 hosts in the same zone when 'set intrazone allow' is configured (hosts are located behind 2 different interfaces but in the same zone) :

 

session info: proto=6 proto_state=01 duration=27 expire=3591 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/100.64.127.2 vlan_cos=0/0
state=may_dirty npu synced
statistic(bytes/packets/allow_err): org=20597/188/1 reply=281657/255/1 tuples=2
tx speed(Bps/kbps): 744/5 rx speed(Bps/kbps): 10186/81
orgin->sink: org pre->post, reply pre->post dev=27->20/20->27 gwy=172.28.177.1/172.28.36.1
hook=pre dir=org act=noop 172.28.177.36:63858->172.28.36.20:445(0.0.0.0:0)
hook=post dir=reply act=noop 172.28.36.20:445->172.28.177.36:63858(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=205f7bd9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
npu info: flag=0x82/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session 1
Labels:
4758
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.