Skip to main content
Stuart_Kendrick
Stuart_Kendrick
New Member
April 12, 2018
Question

Restrict access to VPN Tunnel Terminator

  • April 12, 2018
  • 1 reply
  • 9054 views

I have a VPN tunnel to Azure.  In the logs, I see random sites attempting Phase I with the VPN Tunnel interface on the Fortigate.  They fail of course, as they aren't sourced from the specified IP address nor do they have the pre-shared key.  But I don't enjoy seeing these messages in the logs.

 

How might I go about applying a Policy to prevent these packets from even reaching the IPSec VPN Tunnel interface?  As I poke around, I'm realizing that I don't even know how FortiOS handles this -- I don't see any IPv4 Policy which permits IKE / ESP to my tunnel interface.  I do see Local In Policies which seem to permit UDP 500 / 4500 / 1701 to *any* interface.  And IPv4 Access Control List doesn't seem to be granular enough -- only supports Denies -- no Allows.

 

Is Local In Policy the place to start, in terms of attempting to lock this down?

 

--sk

    1 reply

    Markus
    Markus
    New Member
    April 13, 2018

    Hi,

    Welcome to the Forums. Yes, the Local In Policy is the place, but you have to use CLI. Take a look at this Tread https://forum.fortinet.com/tm.aspx?m=148259&tree=true

     

    Best, Markus

    Stuart_Kendrick
    Stuart_KendrickAuthor
    New Member
    April 16, 2018

    Ahh, I see.  Thank you for the pointer.

     

    For reference, here is what I did:

     

    config firewall local-in-policy     edit 1         set ha-mgmt-intf-only disable         set intf "AzureVPN"         set srcaddr "Remote Azure VPN Gateway"         set dstaddr "Local Azure VPN Gateway"         set action accept         set service "IKE"         set schedule "always"         set status enable     next     edit 2         set ha-mgmt-intf-only disable         set intf "AzureVPN"         set srcaddr "Remote Azure VPN Gateway"         set dstaddr "Local Azure VPN Gateway"         set action accept         set service "ESP"         set schedule "always"         set status enable     next     edit 3         set ha-mgmt-intf-only disable         set intf "AzureVPN"         set srcaddr "all"         set dstaddr "Local Azure VPN Gateway"         set action deny         set service "IKE"         set schedule "always"         set status enable     next     edit 4         set ha-mgmt-intf-only disable         set intf "AzureVPN"         set srcaddr "all"         set dstaddr "Local Azure VPN Gateway"         set action deny         set service "ESP"         set schedule "always"         set status enable     next end

    Markus
    Markus
    New Member
    April 16, 2018

    Good to hear and thanks for sharing!

    Terms & ConditionsAccessibility statement