Fortinet From To Source Destination

Bovie2k · ‎02-04-2024

Ok first my firewall works as is but I don't think it's setup right. My internal network is a /18 and the LAN is a /24 contained in that /18. I have the /18 setup as a static route on the LAN network. Basically pointing the /18 route at the L3 Meraki switch I have behind the firewalls.

All the rules work as is today BUT on inbound rules I have to leave To = any. I still set the From, Source and Destination. On outbound rules I'm able to set all 4 From To Source Destination. If I set the To on the inbound rule the rule doesn't work. Should my LAN interface be configured as a 255.255.192.0 instead of a 255.255.255.0?

hbac · ‎02-05-2024

Hi @Bovie2k,

Please provide more details about your issue. Please provide screenshot if possible.

Regards,

Bovie2k · ‎02-05-2024

@hbac Sure here we go

Here is the Interface on a /24

Here is my static route going to the L3 router which is contained on the Interface /24

Example Internet to DMZ where I can put in the from to source and destination

Example of Internet to Inside where I cannot put in the To I can have a source and destination but if I put in a to of my LAN traffic doesn't pass

Example of outbound from LAN this is where I'm fine to put the LAN as the From and it works fine.

Toshi_Esumi · ‎02-05-2024

Also you didn't explained why you have to have a /18 static route instead of a /24 route toward the Meraki L3 switch. Are there more subnets on the switch side in addition to the LAN subnet?

Toshi

Bovie2k · ‎02-05-2024

@Toshi_Esumi thanks for the response. Yes there are tons of subnets within that /18 that the Meraki L3 switch routes to. Which is why I have the static route for the /18 if the IP is within that /18 send to the Meraki L3 and it routes it to the correct client usually though other L3 switches as we have multiple locations with Dark Fiber connected to the Meraki L3 switch.

Toshi_Esumi · ‎02-05-2024

Have you tried creating a new policy Internet-zone->(the VLAN interface name toward the Meraki SW) for that /24 detination only in addition to the existing policy Internet-zone->any then place it above the existing "to-any" policy?

I'm guessing one of those destination address objects in the policy has its belonging interface specified other than the VLAN interface.

Toshi

Bovie2k · ‎02-05-2024

Toshi, good call it's not hitting that rule. Everything is identical for my test except the To. Its like it doesn't realize I'm in the To location.

Do I have to set the Interface on the Address Object to my To? Right now its Any.

Bovie2k · ‎02-05-2024

I added a new destination object with the interface set and it still isn't using that ACL. FWIW my source object also as ANY as the interface.

Toshi_Esumi · ‎02-05-2024

We regulary don't specify the interface when creating ogjects but leave it "any". So that when we have to move the subnet to other interface, we don't have to change the address object itself.
Or, we regularly use routing protocols so the interface would change for the route based on the routing at that time. We have to use "any".

Toshi

Bovie2k · ‎02-05-2024

I created new objects with the interface specified for the source and destination and it still doesn't hit the ACL above the working ACL. My only other idea is to change my LAN interface to a /18 but that feels wrong. I may open a case with support if there aren't other ideas. Thanks for the help anyways.