Skip to main content
FortiMax_it
FortiMax_it
Explorer III
September 22, 2023
Question

Local-in-policy and log

  • September 22, 2023
  • 2 replies
  • 7059 views

Hi, I have a Fortigate 60E firmware 7.4.1
I have a public subnet that very often tries to connect via IPSEC VPN to the firewall. I therefore created a local-in-policy to deny the connection to this subnet, but I continue to see the logs and I also receive emails from an automation that notifies me of unsuccessful VPN connections.
Shouldn't the local-in-policy block the source connection so it doesn't even create the log?
The firewall navigates with a public IP directly on its WAN.

 

 

 edit "Attempt_ipsec_167.0.0.0"         set uuid 006d9cf8-500d-51ee-cdb6-363058ded725         set subnet 167.0.0.0 255.0.0.0
config firewall local-in-policy     edit 1         set uuid d69d2fdc-500d-51ee-9cb8-ff27447660f2         set intf "WAN-Fibra"         set srcaddr "Attempt_ipsec_167.0.0.0"         set dstaddr "all"         set service "IKE" "ALL_ICMP" "VPN_SSL_9443"         set schedule "always"

 

 

 
IKE.jpg

 

log__.jpg

2 replies

anignan
Staff
anignan
Staff
September 22, 2023

Hi @FortiMax_it 

Can you confirm that your IKE service is UDP 500? Yes local-in should block it

Abdel

    FortiMax_it
    FortiMax_itAuthor
    Explorer III
    September 22, 2023

    Hi Abdel, thanks for the reply but what you tell me I think is more of a workaround because if I have a local-in-policy that blocks IPSEC traffic, why is the log created in the VPN events section?
    If traffic is blocked on the WAN interface it must not be processed by the CPU. As you can see it is as if the package has been processed. It should be discarded directly.

     

    event.png

    anignan
    Staff
    anignan
    Staff
    September 22, 2023

    Exactly theoretically it should not hit the ike daemon.. Let me try to replicate this in my lab

     

    Abdel

      anignan
      Staff
      anignan
      Staff
      September 22, 2023

      HI @FortiMax_it 

       

      This seems to be an expected behavior because this is not a proposal received from remote peer but an ESP packet with incorrect SPI... This packet is being dropped before local-in-policy by the kernel and iked logs it..

       

      Is you FortiGate support acl? check with the command show router access-list

       

      Abdel

        FortiMax_it
        FortiMax_itAuthor
        Explorer III
        September 22, 2023

        Hi,
        does it support ACLs, yes.
        ACL.png

        anignan
        Staff
        anignan
        Staff
        September 22, 2023

        Hi @FortiMax_it 

         

        Try to use ACL this may help in your case..

         

        Abdel

        Terms & ConditionsAccessibility statement