AnsweredHot!interface zones

Author
suthomas1
Silver Member
  • Total Posts : 76
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
2020/08/06 18:18:30 (permalink)
0

interface zones

Good day all,
 
Using zones in our fortigate firewall. Is traffic within the same source & same destination zone allowed by default or it needs a rule in place?
 
#1
Toshi Esumi
Expert Member
  • Total Posts : 2240
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: interface zones 2020/08/06 22:53:23 (permalink)
0
I would assume it's blocked by default because all zones at our office has "Block intra-zone traffic" enabled, means deny. But you can easily change it via GUI or CLI (set intrazone allow).
#2
suthomas1
Silver Member
  • Total Posts : 76
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
Re: interface zones 2020/08/07 00:39:53 (permalink)
0
that means it traffic within same zone is not blocked by default? if you have the block intrazone traffic enable in your firewall.?
#3
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: interface zones 2020/08/07 02:47:35 (permalink)
5 (1)
Toshi is correct about "Block intra-zone traffic" - you have option of enabled or disabled
 
Your options are everything open, or everything blocked, you have no other granular options
#4
Toshi Esumi
Expert Member
  • Total Posts : 2240
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: interface zones 2020/08/07 07:51:26 (permalink) ☼ Best Answerby suthomas1 2020/08/07 17:57:37
5 (1)
If you want to control further, you can "set intrazone allow" for the zone then add policies to block some traffic, like blocking one direction int1->int2 while allowing the opposite direction int2->int1 inside the zone, with the same zone as its src and dst interface in the same policy. We recently needed to do that based on a customer's requirement.
#5
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: interface zones 2020/08/07 08:34:48 (permalink)
0
toshiesumi
If you want to control further, you can "set intrazone allow" for the zone then add policies to block some traffic, like blocking one direction int1->int2 while allowing the opposite direction int2->int1 inside the zone, with the same zone as its src and dst interface in the same policy. We recently needed to do that based on a customer's requirement.


Every days a school day, didn't know you could do this.
#6
Toshi Esumi
Expert Member
  • Total Posts : 2240
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: interface zones 2020/08/07 09:08:58 (permalink)
0
It's obvious but you have to specify source and destination subnets to control that.
I just had the same "aha" moment last night as well.
#7
Jump to:
© 2020 APG vNext Commercial Version 5.5