Skip to main content
train_wreck
train_wreck
New Member
April 9, 2020
Question

60E - Block traffic coming into firewall itself

  • April 9, 2020
  • 2 replies
  • 7219 views

I am getting hammered by a particular IP address on the WAN interface trying to brute force IPsec VPN (UDP port 500). How do I block traffic inbound to the device itself? I tried adding an IPv4 policy item with source & destination interface of "WAN1", a source address of the offending address, and a destination address of all. This did not work.

 

Cisco calls this the "control plane" traffic, which can be filtered just like regular interface access lists. Is this possible to do with Fortinet?

 

OS 6.0.

    2 replies

    Markus
    Markus
    New Member
    April 9, 2020

    Try this as starting Point https://forum.fortinet.com/tm.aspx?m=177311&tree=true

     

    train_wreck
    train_wreckAuthor
    New Member
    April 9, 2020

    Wow. According to that post, there is currently not a way to block inbound UDP port 500 or 4500 on an IP basis. This is something Cisco has no problem doing......

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 9, 2020

    What?

    config firewall local-in-policy
        edit 1
            set intf "wan1"
            set srcaddr "VPN_origin_countries"
            set dstaddr "all"
            set action accept
            set service "IKE"
            set schedule "always"
        next
    end

    works perfectly. Explained: only those IP addresses contained in address group "VPN_origin_countries" will be allowed to open IPsec negotiations.

    Augment the service with a service group containing further protocols, like ESP and AH.

    Finally, block "ALL" services from "any" address from accessing the FGT.

    shlomi
    shlomi
    New Member
    April 15, 2020

    below friend

     

    https://forum.fortinet.com/tm.aspx?m=127587

    Terms & ConditionsAccessibility statement