Skip to main content
phar
phar
New Member
October 22, 2024
Question

Fortigate 7.4.5 not blocking incoming management access attempts

  • October 22, 2024
  • 5 replies
  • 3753 views

Fortigate v7.4.5 build2702 (Mature)

 

I am trying to block large subnets that are trying to access the management interface of our firewall. Almost just like this page here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-Firewall-Policy-to-block/ta-p/197727

I've created an address subnet object then created the following firewall policy:

Name: Deny X.0.0.0

Incoming Interface: Any

Outgoing Interface: Any

Source: X.0.0.0-Net

Destination: All

Schedule: always

Service: All

Action: Deny

Log Violation

Enable Policy

 

Despite this I continue to see connection attempts being made. All of them either end in client-rst or server-rst. What am I missing? Or is there something else i need to do?

5 replies

spoojary
Staff
spoojary
Staff
October 22, 2024

create  local in policy : https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

phar
pharAuthor
New Member
October 22, 2024

Thanks, I will check that out. Why does the firewall policy not block that incoming traffic?

RinoBroer
RinoBroer
Explorer III
October 22, 2024

It is important to know the difference between a firewall policy and a local-in policy. While firewall  policies control traffic flowing through the FortiGate, local-in policies control inbound traffic that is going to a FortiGate interface.

    phar
    pharAuthor
    New Member
    October 22, 2024

    Thanks again. This is a different way of doing things than other firewalls that I am familiar with.

    Back to the matter at hand. Since we're using Fortigate OS 7.4.5 I have to use the CLI to add this policy. Problem is that it doesn't take the policy. I don't get any errors but when I go to list the policies either through the CLI or the web interface, the new policy isn't there. What am I missing?
    I created geographical regions in the addresses area for China, India, and Russia.

    config firewall local-in-policy
    edit 11
    set intf any
    set srcaddr China India Russia
    set dstaddr all
    set service ALL
    set schedule always
    set action deny

    next
    end

    EDIT: Ok I take that back sort of. The GUI still does not show the new policy but when input the proper command in the CLI I see the new policy. However the CLI ONLY shows the new policy, and none of the ones that the GUI shows.

    EDIT2: It's definitely working as now there's a ton of traffic from those locations that's being denied according to the logs.

      jbindra
      Staff
      jbindra
      Staff
      October 22, 2024

      on earlier versions, we can only see local in policy from the CLI.

      The GUI support for local-in policy is supported on 7.6.0 firmware version 

      Please refer this link for more information: https://docs.fortinet.com/document/fortigate/7.6.0/new-features/308650/gui-support-for-local-in-policies

      Terms & ConditionsAccessibility statement