Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pfrancoeur
New Contributor

Zone, intra-zone trafic blocking and policy?

I was wondering if it is possible to use a zone that is blocking intra-zone traffic and create policies to only allow some specific trafic between the interface members of the zone? Or is the "Block intra-zone traffic" an all-or-nothing options?

 

Something like this:

 

Source interface: ZONE

Destination interface: ZONE

Source IP: SOME_SERVER

Destination IP: SOME_OTHER_DEVICE

 

This post seems to imply that this is (or was) possible but I just can't get it to work: [link]https://forum.fortinet.com/tm.aspx?m=115382[/link]

 

The idea is that we are redesigning a network with 90+ remote site connected through VPN with 10+ interface each. Almost all of these remote interfaces have no needs to communicate between them except some device that needs communication between the interface. If we could create one zone, blocking traffic globally then only allow some services would be much easier to manage in the long run than creating 4-5 zones and having to create rules for all of them to communicate with the VPN. 

 

Any one has an idea?

1 REPLY 1
lobstercreed
Valued Contributor

Pierre,

 

It seems to me like this should work, no problem.  I've only done zone-to-zone rules once or twice, but it worked fine for me.  Maybe there's something else going on related to the VPN specifically?

 

What do the logs tell you?  I don't know if you have a FortiAnalyzer, but we log *everything* to it and it saves our bacon constantly when something goes wrong.

 

- Daniel

Labels
Top Kudoed Authors