Blocking intra-VLAN traffic
If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the config system global set allow-traffic-redirect disable end |
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.
Use enable
to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable
to allow normal traffic on the specified VLAN.
Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can allow or block intra-VLAN traffic on the managed FortiSwitch units when the connection to the FortiGate device is lost.
To block intra-VLAN traffic using the FortiGate GUI:
- Go to Network > Interfaces.
- Select the interface and then select Edit.
- In the Edit Interface form, enable Block intra-VLAN traffic under Network.
To block intra-VLAN traffic using the FortiGate CLI:
config system interface
edit <VLAN name>
set switch-controller-access-vlan {enable | disable}
next
end
NOTE:
- IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
-
Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.
- When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP with the
config system proxy-arp
CLI command and configure a firewall policy. For example:config system proxy-arp
edit 1
set interface "V100"
set ip 1.1.1.1
set end-ip 1.1.1.200
next
end
config firewall policy
edit 4
set name "Allow intra-VLAN traffic"
set srcintf "V100"
set dstintf "V100"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
To allow or block intra-VLAN traffic when the connection to the FortiGate device is lost:
config switch-controller fortilink-settings
edit "<FortiLink_interface>"
set access-vlan-mode { legacy | fail-open | fail-close}
next
end
Option | Description |
---|---|
legacy |
This is the default, which is backward compatible with 7.4.1 and earlier. |
fail-open |
When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is allowed. |
fail-close |
When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is blocked. |