Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate enable option
| Description | This article describes how to configure a local-in policy to allow only specific subnets to access the FortiGate using the srcaddr-negate enable option. |
| Scope | FortiGate. |
| Solution | The local-in policy is being applied to filter or deny local traffic to the FortiGate in the interface level.
Usually, two (2) Local-in policy rules are created to allow specific subnets and deny the rest of the IPs. The First rule is to allow IPs that can be via GEO IP, an Address object, or a group. Then the Second rule is to deny all IP addresses.
Example local-in policy configuration:
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "Allowed_subnet" set dstaddr "all" set action accept set service "HTTPS" set schedule "always" set status enable next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set action deny set service "HTTPS" set schedule "always" set status enable next end
The option 'srcaddr-negate enable' means the firewall policy will apply to all source addresses except the ones specified in the address object. It is used to exclude certain IP addresses or subnets from a policy.
Local-in policy configuration with the srcaddr-negate enable option:
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "Allowed_subnet" set srcaddr-negate enable set dstaddr "all" set action deny set service "HTTPS" set schedule "always" set status enable next end
This single local-in policy rule will deny all the HTTPS traffic to FortiGate except for the IP addresses on the 'Allowed_subnet' Firewall address group.
Notes:
|