- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 3rd party wifi and security
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3rd party wifi and security
Just received the 60e and I have a ASUS 86u wireless router.
Is it possible so that certain wireless users to be put in a security group ( by mac address) so those users can access any of the other internal hosts, and those that are not in the group can only access the internet? There is one un-managed network switch connected to the 60e which has a number of ethernet connected devices, and the wifi AP is connected to a port on the 60e.
I was not sure if I can create a hardware switch and then separate that from the rest of the network for only wifi users. Put the internal and wifi inteface into a new zone, enabled block intra communication and then create a policy that allows the group members access to anything internal.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few ways to accomplish this, but it sounds like you've got a pretty good one planned out. It should work fine! :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was was under the impression that even if you create anew interface and plug in the wifi access point to it, all internal lan can still access all resources and vice versa..
what other ways do you recommend?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps I misunderstood, but it sounds like you already know that out of the box the "internal" network is a hardware switch of all the internal ports, so you were suggesting breaking that apart and putting the wifi router on its own interface, right? This would prevent traffic between the "internal" interfaces and the port you broke apart, unless that traffic is defined in a policy. You further mentioned grouping these into a zone, which would enable them to communicate again unless you block intrazone traffic which you stated you would. So then you'll create an intra zone policy (source and destination "interface" (zone in this case) would be the same) to match the traffic based on device group (Mac addresses).
Other ways to accomplish this include doing everything you listed above except not putting them into a zone and simply creating a policy between the interface for the router and the "internal" hardware switch. Same result in the end. I suppose it might complicate your outbound policies (to the Internet), so in that case the zone is better. You could also further subdivide the FortiGate such that you have even more control over each port's interaction with each other port. This just depends on your needs. Like I said, you have a really good plan in place, so I wasn't meaning before to suggest you do anything different, but confirming that you were on the right track! :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lobstercreed wrote:Perhaps I misunderstood, but it sounds like you already know that out of the box the "internal" network is a hardware switch of all the internal ports, so you were suggesting breaking that apart and putting the wifi router on its own interface, right? This would prevent traffic between the "internal" interfaces and the port you broke apart, unless that traffic is defined in a policy. You further mentioned grouping these into a zone, which would enable them to communicate again unless you block intrazone traffic which you stated you would. So then you'll create an intra zone policy (source and destination "interface" (zone in this case) would be the same) to match the traffic based on device group (Mac addresses).
Other ways to accomplish this include doing everything you listed above except not putting them into a zone and simply creating a policy between the interface for the router and the "internal" hardware switch. Same result in the end. I suppose it might complicate your outbound policies (to the Internet), so in that case the zone is better. You could also further subdivide the FortiGate such that you have even more control over each port's interaction with each other port. This just depends on your needs. Like I said, you have a really good plan in place, so I wasn't meaning before to suggest you do anything different, but confirming that you were on the right track! :)
After trial and error, I didn't get it!
I did break away the switch, gave the wifi AP it's own port on the Fortinet 60e, and also had DHCP on its own on that device. Internet works fine, and the only issue now is on the main interface with my devices, I cannot access that other interface network the wireless.
I tried create a new policy, to allow my INTERNAL network into WIFI devices. Great.
I tried to create a policy to allow just certain IPs on the wifi network into the internal network. Didn't know how. I have DHCP reservations for those few trusted wifi devices. I tried creating a custom device & group under User & devices, but when I went to the firewall policy and for the source selected the trusted device group, I get this error:
One address, address group, or Internet service is required...
So then I tried to create an address, with that IP, so I could create a group of 2-3 ips that are trusted, but I cannot create an address with an IP, only subnet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also some how it let me now create an address, but when I put in the address IP, it said
One or more members are associated with an interface (internal). Only addresses that are not associated with an interface, or are associated with internal can be added.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NEVER associate an address with an interface when creating.
Now you know why. You chose the wrong interface. Your wifi device addresses are on the WiFi interface (your SSID).
Delete them and recreate new. Then put them into an address group.
My advice:
forget about the device group. Unless someone fakes one of the reserved addresses you're safe.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:I don't follow. So create the address, but don't put an interface, leave it blank? What is the downside of putting in the interface for the address?NEVER associate an address with an interface when creating.
Now you know why. You chose the wrong interface. Your wifi device addresses are on the WiFi interface (your SSID).
Delete them and recreate new. Then put them into an address group.
My advice:
forget about the device group. Unless someone fakes one of the reserved addresses you're safe.
Not sure what you mean by delete and re-create? What should I delete, the address?
Also, don't use device group? Use addresses? What is the purpose of device groups? It was easier I thought? Right now I have to create a DHCP reservation for the device, then create an address, then put it in the address group. I thought it would be easier to just create the dhcp reservation, add the device to custom group?
Related Posts
- FortiExtender Cloud 24.1 is now Released! 107 Views
- Captive Portal provided by Cisco ISE... 777 Views
- Unable to unblock site via category... 527 Views
- FortiOs 7.4.1 issues 227 Views
- Are these features supported by FortiEDR 266 Views
Labels
-
FortiGate
6,416 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
408 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.