Skip to main content
AlexFerenX
AlexFerenX
Visitor III
October 21, 2024
Question

Local-in vs Auto-provisioned vs Admin-in Policies

  • October 21, 2024
  • 2 replies
  • 1495 views

Hi!

there are three to-the-Fortigate policies - Local-in, Auto-provisioned and Admin-in Policies.

However, I'm unable to find documentation listing the order of execution/priority in which these are processed to determine which will occludes (ie. prevents access allowed by) others - is this documented? Otherwise, if it's dead-simple, provide answer?

R's, Feren

(Edit: removed "vs")

2 replies

aastardzhiev
aastardzhiev
Explorer II
October 21, 2024

Hi @AlexFerenX ,

 

If I am not mistaken by "Auto-provisioned" you probably refer to Auto provision rules | FortiPAM 1.4.1 | Fortinet Document Library which has nothing to do with access to the FortiGate itself.

And for "Admin-in" policies do  you mean the list of trusted hosts associated with the admin user?

Local-In and admin trusted hosts server sightly different purpose.
Local-in is blocking the traffic to enter the firewall, so if you try to access it from IP that is not allowed, firewall will not respond at all.

Trusted hosts list the IPs from which given admin is allowed to connected. If you connect from different IP, you still be presented with login page, but even with correct credentials you will receive authentication fail message.

    AlexFerenX
    AlexFerenXAuthor
    Visitor III
    October 22, 2024

    Hi @aastardzhiev,

    these are "Policy Group" I'm referring to:

    • (Custom) Local-in Policy - 00100001
    • Auto-provisioned Local-in Policy - 0010000e
    • (allowaccess) Admin-in Polilcy - 0010000f

    So, no, they're very distinct and I seek definitive answer on the order of execution/priority.

    bkrishnan
    Staff
    bkrishnan
    Staff
    October 24, 2024

    Hi
    Local-in-Policy is evaluated first when the traffic destined for the FGT
    Admin-in-policy is for the administrative access lookup after local-in-policy
    Auto-Provisioned Policies-https://docs.fortinet.com/document/fortipam/1.4.1/administration-guide/961601/auto-provision-rules

      AlexFerenX
      AlexFerenXAuthor
      Visitor III
      October 24, 2024

      Hi @bkrishnan 

      I’ve provided “Policy Group” as related to Fortigate (not Fortipam). Is it possible to provide answer applicable to Fortigate - listed in order of execution/priority?

      Thanks!

       

      Terms & ConditionsAccessibility statement