Skip to main content
danfor443
danfor443
New Member
June 29, 2020
Question

Allow ping access from a specific ip only

  • June 29, 2020
  • 1 reply
  • 17153 views

Hello everyone

 

the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.

 

If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.

But then everyone may Ping my external Interface.

 

So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.

 

The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).

 

 

***** The local-in Policy as described in the KB Article ******

config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end

 

while "trusted-1" == 12.12.12.12 /32  (of course i changed the original source IP)

And "wan2" is the correct interface here.

************************************************************

 

 

 

 

***** Here the syslog if i try a PING from IP 12.12.12.12******

Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"

 

Here i see "deny and policyid=0 and policytype=local-in-policy".

************************************************************

 

 

 

 

 

***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******

8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request

 

As you see no reply is working.

************************************************************

 

 

The routing table is set correctly.

If i enable PING over GUI on the WAN2 interface, it immediately works.

 

So problem seems to be the local-in-policy ?!

 

Can anybody help me?

Someone had the same problem?

 

Best Regards

Danfor

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 29, 2020

    set status disable
    ...seen this?

    danfor443
    danfor443Author
    New Member
    June 29, 2020

    Hi Ede,

     

    oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.

    Sorry, confusing.

    But it doesn't work with "set status enable".

    Terms & ConditionsAccessibility statement