Configure VLAN

Virtual Local Area Networks (VLANs) allow you to segment your network, maximize performance, and provide additional network security.

The settings in the instructions apply to FortiOS 6.x and 7.x versions. If you have a different version of FortiOS, you can find documentation for that version in the FortiGate control panel in the upper right corner or on the official FortiGate website.

To create two virtual networks with access to each other and to the Internet:

Create network interfaces.
Customize the security policy.

Create network interfaces

Graphical interface
CLI

FortiOS 6.x
FortiOS 7.x

Connect to the firewall.
Click the Network → Interfaces tab.
Specify the interface name.
In the Type field, select the value - VLAN.
In the VLAN ID field, specify the network ID.
In the Role field, select the value - LAN.
In the IP/Netmask field, specify the IP address and subnet mask for the VLAN.
Click OK.
Repeat steps 1-8 to create a second network interface.
Go to Policy & Objects → Addresses.
Click Create new.

Connect to the firewall.

Create two interfaces:

config system interface
     edit "<vlan_name_1>"
         set vdom root
         set ip <ip_address_1> <mask_1>
         set allowaccess ping https ssh
         set role lan
         set interface lan
         set vlanid <vlan_id_1>
     next
     edit "<vlan_name_2>"
         set vdom root
         set ip <ip_address_2> <mask_2>
         set allowaccess ping https ssh
         set role lan
         set interface lan
         set vlanid <vlan_id_2>
end

Specify:

<vlan_name_1> - name of the first network interface;
<ip_address_1> - The IP address to be assigned to the first interface;
<mask_1> - subnet mask of the first interface of the form 255.255.255.0;
<vlan_id_1> - identifier of the first interface;
<vlan_name_2> - name of the second interface;
<ip_address_2> - The IP address to be assigned to the second interface;
<mask_2> - subnet mask of the second interface of the form 255.255.255.0;
<vlan_id_2> - identifier of the second VLAN.

Add two addresses for the created VLANs:
```
config firewall address
    edit <vlan_address_1>
        set type ipmask
        set subnet <ip_address_1> <mask_1>
    next
    edit <vlan_address_2>
        set type ipmask
        set subnet <ip_address_2> <mask_2>
 end
```
Specify:
- <vlan_address_1> - name of the IP address assigned to the first VLAN;
- <ip_address_1> - The IP address assigned to the first VLAN;
- <mask_1> - subnet mask of the first VLAN;
- <vlan_address_2> - name of the IP address assigned to the second VLAN;
- <ip_address_2> - IP address. assigned to the second VLAN;
- <mask_2> - subnet mask of the second VLAN.

Customize the security policy

Graphical interface
CLI

Go to Policy & Objects → IPv4 Policy and create a new policy.
In the Incoming Interface field, select the first VLAN.
In the Outgoing Interface field, select the second VLAN.
In the Source field, select the address of the first VLAN.
In the Destination field, select the address of the second VLAN.
Make sure that NAT is disabled in the policy.
Repeat steps 1-6 to create a second policy. Swap the first and second VLANs in the policy.
Go to Policy & Objects → IPv4 Policy and create a new policy.
In Incoming Interface, select the first VLAN.
In Outgoing Interface, select the external interface.
In Source, select the address of the first VLAN.
In Destination, select the address of the external interface.
Repeat steps 8-12 to create a policy for the second VLAN.

Create a new policy:

config firewall policy
    edit 3
        set name "<vlan_name_1> to <vlan_name_2>"
        set srcintf "<vlan_name_1>"
        set dstintf "<vlan_name_2>"
        set srcaddr "<vlan_address_1>"
        set dstaddr "<vlan_address_2>"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 4
        set name "<vlan_name_2> to <vlan_name_1>"
        set srcintf "<vlan_name_2>"
        set dstintf "<vlan_name_1>"
        set srcaddr "<vlan_address_2>"
        set dstaddr "<vlan_address_1>"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

Specify:

<vlan_name_1> - name of the first network interface;
<vlan_name_2> - name of the second network interface;
<vlan_address_1> - name of the IP address assigned to the first VLAN;
<vlan_address_2> - name of the IP address assigned to the second VLAN.

Create two policies for each VLAN subnet for Internet access:

config firewall system
    edit 5
        set name "<vlan_name_1> to Internet"
        set srcintf "<vlan_name_1>"
        set dstintf "wan1"
        set srcaddr "<vlan_address_1>"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 6
        set name "<vlan_name_2> to Internet"
        set srcintf "<vlan_name_2>"
        set dstintf "wan1"
        set srcaddr "<vlan_address_2>"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Specify:

<vlan_name_1> - name of the first network interface;
<vlan_name_2> - name of the second network interface;
<vlan_address_1> - name of the IP address assigned to the first VLAN;
<vlan_address_2> - name of the IP address assigned to the second VLAN.