Skip to main content
tanr
tanr
New Member
November 15, 2017
Question

Logging, local-in-policy, and weirdness

  • November 15, 2017
  • 1 reply
  • 17058 views

A question re local-in-policy, logging, security policies, and possibly zones.

 

We've got two ISPs, so separate wan interfaces for each, collected into a zone for firewall rules.  Local in policy blocks (or should block) a number of services (like telnet) to these wan interfaces, like so:

 

config firewall local-in-policy edit 1     set intf "wan-zn"     set srcaddr "all"     set dstaddr "all"     set action deny     set service "Svcs-LI-Block-For-Wan"     set schedule "always"     set status enable end

 

I still see a bunch of logs blocking these services, where the policy ID usually matches one of our lan_to_wan policies, but sometimes matches the default deny policy.

 

Questions:

[ol]
  • My understanding is that when local-in-policy blocks something, there is no log entry created.  Correct?
  • I assume the logs I'm seeing are for attacks from the wan that are attempted as part of a session initiated from our lan, since otherwise they should be getting blocked by either the local-in-policy or the default deny policy, not the lan_to_wan policies? 
  • How would the telnet attempts, for example, have gotten through to where the default deny rule had to handle them, as opposed to local-in-policy?
  • Any suggestions on how to track this backwards?  For example, I'd like to figure out specific websites users are visiting that then use the connection to try such an attack.  I'd really like to figure out the attacks that seem to be bypassing local-in-policy which are getting blocked by the default deny.[/ol]

    Thanks.

      • 1 reply

      packetpusher
      packetpusher
      New Member
      November 17, 2017

      The local-in policy is used to restrict/ allow access to services residing on the firewall only.

      emnoc
      emnoc
      New Member
      November 17, 2017

      You need to  enable logging  for local-in-policies

       

       

      e.g

       

      set local-in-allow enable

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      November 17, 2017

      As already posted, local-in policies are only effective for traffic reaching one of the FGTs port addresses, i.e. the WAN address. They are meant to restrict access to the FGT management servers, which could be HTTP, HTTPS, SSH or telnet. Notice that you cannot specify a destination interface like in a regular policy - the destination is always the FGT itself.

       

      In order to attack an internal server you would need to allow incoming traffic in the first place. That is, a policy from WAN to LAN. This is quite uncommon and usually requires a VIP to translate a public destination address to an internal, private address. You usually handle all security in this policy.

      If there is no policy allowing some sort of traffic (even inbound) then it will hit the implicit final DENY policy, policy 0.

       

      As far as I can see it, your problem is that you've allowing traffic in. Note that you do not need an inbound policy to allow traffic replies - policies allow/deny session setup, not traffic. You can surf the web from the LAN with an outbound policy only.

      Terms & ConditionsAccessibility statement