Skip to Content

Solved: How ‘Block intra-SSID traffic’ option on ssid configuration works on bridge mode ssid on FortiGate/FortiAP?

This article describes an overview of how ‘Block intra-SSID traffic’ option on SSID configuration works on the bridge mode SSID as there is slight variation between tunneled and bridged.


Tunneled mode:

  • Enabling Block intra-SSID traffic will restrict communication between 2 wireless clients connected on same SSID on FortiAPs.
  • In tunneled mode, the traffic will be completely blocked between 2 wireless clients on same SSID irrespective of the client associated FortiAPs (same FortiAP or different FortiAP).

Bridge mode:

  • The traffic between two wireless clients will be blocked when associated to same FortiAP.
  • The traffic will be allowed when wireless clients are associated to different FortiAP’s (though connected to same SSID).
  • Traffic coming to AP-1 through ethernet from AP-2 associated wireless clients, will be treated as wired traffic, hence will not be blocked.

In Simple, Bridge mode SSID with ‘Block intra-SSID traffic’ option enabled,

Wireless clients connected on Same SSID, Same FortiAP — communication blocked
Wireless clients connected on Same SSID, but different FortiAP — communication allowed (traffic will be considered as wired traffic between clients connected on different FortiAP’s. )This option in cli is available as ‘intra-vap-privacy’ under VAP configuration. Example as below,

# config wireless-controller vap
edit test <<<< test is the bridge SSID name
set intra-vap-privacy

intra-vap-privacy – Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).



    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.