Skip to main content
slautenschlager
Staff
slautenschlager
Staff
June 5, 2015

Technical Tip: How to deny access to a local IP in the FortiGate with a local-in policy

  • June 5, 2015
  • 0 replies
  • 20462 views

Description

 

This article describes how to restrict access to a FortiGate to either avoid being scanned or just allow specific 'trusted IPs' to manage the FortiGate.
 
Scope
 
FortiGate.


Solution

 

While security or firewall policies control traffic that goes through the FortiGate, local-in-policies control traffic that is destined to the FortiGate (to a local IP). For example, management traffic or VPN access.   
 
Contrary to the firewall policies, local-in-policies have an implicit permit at the end. The following example will restrict traffic to port 8000 from all sources to the outside interface (WAN1) while allowing everything else.
 
  1. Create a Custom Service by going to Policy & Objects -> Services and selecting 'Create New'.

GUI:

  • Name: Port-8000.
  • Protocol Type: TCP/UDP/STCP.
  • Protocol: TCP.
  • Destination Port: 8000.
  • Leave the other fields blank.
  • Select 'OK' to save.

 

pachavez_0-1773106388149.png

 

Command Line:

 

config firewall service custom
    edit "Port-8000"
        set tcp-portrange 8000
    next

end

 
  1. Create the local-in policy.

Command Line:

 

config firewall local-in-policy
    edit 1
        set intf "wan1"           <----- External interface.
        set srcaddr "all"         <----- Source.
        set dstaddr "all"         <----- Destination.
        set action deny           <----- Action.
        set service "Port-8000"   <----- Custom Service created in step 1.
        set schedule "always"
        set status enable
end

 

To configure local-in policy for IPv6:

 

config firewall local-in-policy6

    edit xxx

    set srcaddr <IPV6 src IP>

    set dstaddr <IPV6 dst IP>

    set action {accept | deny}

    set service xxx

    set schedule always

    set virtual-patch {enable | disable}

    set status enable

end

 

Note

In case the local-in policy was already configured to allow 'ALL'  services, use the following command to move the newly configured denied policy on top of the allowed policy:

 

config firewall local-in-policy

       move <New policy ID> before <Old policy ID>

 

To verify the settings, from the CLI type:

 

config firewall local-in-policy
show full-configuration

 
GUI:

Starting from v7.6.0,  it is possible to create the same policy from the GUI as well: New Features.

 

Check the following article for creating local-in policies from the GUI: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

If there are existing sessions established from an external IP, the sessions need to be cleared to make the local-in policy take effect. 

Traffic originating from the FortiGate is not restricted by the local-in policy. 


Note:
Ports that are handled by Session Helpers, like SIP or SCC-P, are not affected by this change. To deny these, see the related articles.

 

Related articles:

Troubleshooting Tip: FortiGate session table information

Technical Tip: Enable and disable FortiGate system session helpers

Terms & ConditionsAccessibility statement