Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suthomas1
New Contributor

interface zones

Good day all,

 

Using zones in our fortigate firewall. Is traffic within the same source & same destination zone allowed by default or it needs a rule in place?

 

Suthomas
Suthomas
1 Solution
Toshi_Esumi
Esteemed Contributor III

If you want to control further, you can "set intrazone allow" for the zone then add policies to block some traffic, like blocking one direction int1->int2 while allowing the opposite direction int2->int1 inside the zone, with the same zone as its src and dst interface in the same policy. We recently needed to do that based on a customer's requirement.

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

I would assume it's blocked by default because all zones at our office has "Block intra-zone traffic" enabled, means deny. But you can easily change it via GUI or CLI (set intrazone allow).

suthomas1

that means it traffic within same zone is not blocked by default? if you have the block intrazone traffic enable in your firewall.?

Suthomas
Suthomas
James_G

Toshi is correct about "Block intra-zone traffic" - you have option of enabled or disabled

 

Your options are everything open, or everything blocked, you have no other granular options

Toshi_Esumi
Esteemed Contributor III

If you want to control further, you can "set intrazone allow" for the zone then add policies to block some traffic, like blocking one direction int1->int2 while allowing the opposite direction int2->int1 inside the zone, with the same zone as its src and dst interface in the same policy. We recently needed to do that based on a customer's requirement.

James_G

toshiesumi wrote:

If you want to control further, you can "set intrazone allow" for the zone then add policies to block some traffic, like blocking one direction int1->int2 while allowing the opposite direction int2->int1 inside the zone, with the same zone as its src and dst interface in the same policy. We recently needed to do that based on a customer's requirement.

Every days a school day, didn't know you could do this.

Toshi_Esumi
Esteemed Contributor III

It's obvious but you have to specify source and destination subnets to control that.

I just had the same "aha" moment last night as well.

Labels
Top Kudoed Authors