Skip to main content
tungnx59
tungnx59
Explorer
October 4, 2024
Question

Fortigate: Local-in-policy block Access from internet and others connection

  • October 4, 2024
  • 2 replies
  • 3763 views

Dear All, 

 

I have a fortigate is facing to internet, it has public IP: a.a.a.a , port : wan 1

I have IPSEC tunnel to another site using WAN 1 port also, and I have Fortimanager manage Fortigate use WAN 1 also.

 

I want to use Local-in-policy to block unknown Pulbic IP  access to my fortigate via WAN 1 IP Address

 

My question is: If I apply the local -in-policy on WAN 1, my IPSEC tunnel and Fortimanager can connect to my Fortigate ?

 

Thanks !

2 replies

bkrishnan
Staff
bkrishnan
Staff
October 4, 2024

Hello
Please configure a address group that excludes legitimate IPs (IPSec Peer ISP and Fortimanager) and create a Local-in-Policy to block all the other traffic
Please follow the below articles;
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/201046/blocking-unwanted-ike-negotiations-and-esp-packets-with-a-local-in-policy

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

    tungnx59
    tungnx59Author
    Explorer
    October 4, 2024

    it mean, if I only apply Local-in-policy for Trusthost  limit access HTTPS, then my fortigate can not access Fortimanager and IPSEC also , right ?

    I need more policy to allow ipsec connection and Fortimanager , right ?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 4, 2024

    If you don't set any local-in-policy, which is the default, everything to all interfaces are allowed.
    If you want to just block random HTTPS accesses to the wan1 interface, you need to allow your specific sources in the first policy only for HTTPS, then deny any other sources (any) only for HTTPS. FMG uses TCP 541 but that would not be blocked because above policies are only for HTTPS.

    However if you don't use the wan1 interface for your own admin access, you can just uncheck (or allowaccess in CLI) HTTPS at the wan1 interface config GUI.
    Trusthost would work in different way. It's per admin user. You probably know that already.

    Toshi

    Atul_S
    Staff & Editor
    Atul_S
    Staff & Editor
    October 4, 2024

    Hi,

     

    You may consider creating two local rules. The first local allow rule on the top where you mention your src add for all trusted IP addresses(best to create an address group for this) and allow services like https, ssh, ping, FMG-Access and IPsec. After that, you can create a second local in rule blocking all IP addresses as source.

     

    Thanks,

      Terms & ConditionsAccessibility statement