Technical Tip: Filter ingress traffic going to the FortiGate using local-in-policy

mbernatek · ‎06-19-2012

Purpose

This article provides an example of how to configure local-in policies to filter ingress traffic to FortiGate device itself.

The configuration is possible only in CLI.

The GUI menu (if enabled) only displays the default local-in policies created automatically by system, for example allowed traffic to explicit proxy, ssh or https access to FortiGate. Local-in policies created by user under CLI are not displayed in GUI.

Scope

All FortiGate

Expectations, Requirements

The objective of this example is to limit the management traffic (ICMP echo/reply, SSH and HTTPS) to the FortiGate depending on the hosts.

By default it is possible to limit the hosts allowed to ping or access to the FortiGate using "trusted hosts" in the admin profile. However, this means that a particular host has access to ICMP, SSH and HTTPS if these protocols have been activated on the interface.

Local-in policies provide more granularity and then you can decide which protocols a particular host will use.

For example:

10.120.0.0/22 network will be allowed to send ICMP echo/reply to the FortiGate
10.120.0.21/32 host will be allowed to access to the FortiGate using SSH
10.1202.82/32 host will be allowed to access to the FortiGate using HTTPS
ICMP echo/reply, TELNET, SNMP, SSH, HTTP and HTTPS will be denied for all hosts.

It should be noted that there is no "implicit denied" rule created, and then, all the traffic will go to the FortiGate. If an "implicit denied" rule is created for all kinds of traffic then be aware that SSLVPN, dynamic routing protocols, HA, etc will be blocked.

Configuration

Pre-configuration (all management traffic are allowed on the internal interface)

config system interface
  edit "internal"
    set vdom "root" 
    set ip 10.120.0.125 255.255.252.0 
    set allowaccess ping https snmp ssh http telnet 
    set type physical
  next 
end

1/ Configure the Firewall address object

config firewall address
  edit "MGT_NETWORK"
    set associated-interface "internal"
    set comment "Management Network"
    set subnet 10.120.0.0 255.255.252.0
  next 
  edit "HOST1_SSH"
    set associated-interface "internal"
    set comment "Host allowed to access using SSH"
    set subnet 10.120.0.21 255.255.255.255
  next
  edit "HOST2_HTTPS"
     set associated-interface "internal"
    set comment "Host allowed to access using HTTPS"
    set subnet 10.120.2.82 255.255.255.255 
  next 
end

2/ Configure the local-in-policy

config firewall local-in-policy 
  edit 1
    set intf "internal"
    set srcaddr "HOST1_SSH"
    set dstaddr "all"    
    set action accept
    set service "SSH"
    set schedule "always" 
  next
  edit 2 
    set intf "internal"
    set srcaddr "HOST2_HTTPS"
    set dstaddr "all"
    set action accept 
    set service "HTTPS"
    set schedule "always" 
  next
  edit 3 
    set intf "internal" 
    set srcaddr "MGT_NETWORK"             
    set dstaddr "all"             
    set action accept 
    set service "ICMP_ANY"             
    set schedule "always" 
  next
  edit 4 
    set intf "internal" 
    set srcaddr "all"             
    set dstaddr "all" 
    set action deny 
    set service "HTTPS" "SNMP" "SSH" "TELNET" "HTTP" "ICMP_ANY"             
    set schedule "always" 
  next
end

Verification

1) From HOST1: ping and ssh should work, other services should be blocked

• ping: response received from the FortiGate

host1:~$ping 10.120.0.125
PING 10.120.0.125 (10.120.0.125) 56(84) bytes of data.
64 bytes from 10.120.0.125: icmp_req=1 ttl=255 time=0.570 ms
64 bytes from 10.120.0.125: icmp_req=2 ttl=255 time=0.265 ms
^C
---
10.120.0.125 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.265/0.417/0.570/0.153 ms

• SSH: response received from the FortiGate

host1:~$ssh admin@10.120.0.125
FGT50B-5# diagnose ip address list
IP=10.120.0.125->10.120.0.125/255.255.252.0 index=3 devname=internal
IP=172.31.16.125->172.31.16.125/255.255.252.0 index=4 devname=wan2
IP=172.31.224.125->172.31.224.125/255.255.252.0 index=5 devname=wan1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=8 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=11 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=vsys_fgfm
IP=20.1.1.9->20.1.1.10/255.255.255.255 index=15 devname=TO_DR
IP=20.1.1.5->20.1.1.6/255.255.255.255 index=17 devname=TO_BR1
FGT50B-5
# exit
Connection to 10.120.0.125 closed.

• telnet: no response from the FortiGate

host1:~$telnet 10.120.0.125
Trying 10.120.0.125...
telnet: Unable to connect to remote host: Connection timed out

• HTTP: no response from the FortiGate

host1:~$wget http://10.120.0.125
--2012-06-19 11:26:32-- http://10.120.0.125/
Connecting to 10.120.0.125:80... failed: Connection timed out.
Retrying.
--2012-06-19
11:27:36-- (try: 2) http://10.120.0.125/
Connecting to 10.120.0.125:80... 
^C

• HTTPS: response received from the FortiGate

host1:~$wget https://10.120.0.125
--2012-06-19 11:47:20-- https://10.120.0.125/
Connecting to 10.120.0.125:443... failed: Connection timed out.
Retrying.
--2012-06-19
11:48:24-- (try: 2) https://10.120.0.125/
Connecting to 10.120.0.125:443... 
^C

2) From HOST2: ping and HTTPS should work, other services should be blocked

• ping: response received from the FortiGate

FGT50B-5# diagnose sniffer packet internal 'proto 1' 4 2 0
interfaces=[internal]
filters=[proto 1]
2.447948 internal -- 10.120.2.82 -> 10.120.0.125: icmp: echo request
2.448054 internal -- 10.120.0.125 -> 10.120.2.82: icmp: echo reply

• SSH: no response received from the FortiGate

FGT50B-5# diagnose debug flow filter addr 10.120.2.82
FGT50B-5# diagnose debug flow show console enable 
show trace messages on console
FGT50B-5# diagnose debug flow trace start 10FGT50B-5# diagnose debug enable
FGT50B-5# id=36871 trace_id=1 msg="vd-root received a packet(proto=6,
10.120.2.82:1614->10.120.0.125:22) from internal."
id=36871 trace_id=1 msg="allocate a new session-0002b8b7"
id=36871 trace_id=1 msg="iprope_in_check() check failed, drop"

• telnet: no response back from the FortiGate

FGT50B-5# diag sniffer packet internal 'port 23' 4 2 0
interfaces=[internal]
filters=[port 23]
13.248614 internal -- 10.120.2.82.1622 -> 10.120.0.125.23: syn 479285129
16.132702 internal -- 10.120.2.82.1622 -> 10.120.0.125.23: syn 479285129

• HTTP: no response back from the FortiGate

FGT50B-5# diagnose sniffer packet internal 'port 80' 4 2 0
interfaces=[internal]
filters=[port 80]
23.407469 internal -- 10.120.2.82.1610 -> 10.120.0.125.80: syn 556779102 
23.680717 internal -- 10.120.2.82.1611 -> 10.120.0.125.80: syn 3657511462

• HTTPS: response from the FortiGate

FGT50B-5# diagnose sniffer packet internal 'port 443' 4 10 a
interfaces=[internal]
filters=[port 443]
2012-06-19 09:40:28.256550 internal -- 10.120.2.82.1615 -> 10.120.0.125.443: syn 2563677796 
2012-06-19 09:40:28.256832 internal -- 10.120.0.125.443 -> 10.120.2.82.1615: syn 2109860842 ack 2563677797 
2012-06-19 09:40:28.257482 internal -- 10.120.2.82.1615 -> 10.120.0.125.443: ack 2109860843 
2012-06-19 09:40:28.267839 internal -- 10.120.2.82.1615 -> 10.120.0.125.443: psh 2563677797 ack 2109860843 
2012-06-19 09:40:28.267904 internal -- 10.120.0.125.443 -> 10.120.2.82.1615: ack 2563677941 
2012-06-19 09:40:28.686874 internal -- 10.120.0.125.443 -> 10.120.2.82.1615: psh 2109860843 ack 2563677941 
2012-06-19 09:40:28.698364 internal -- 10.120.2.82.1615 -> 10.120.0.125.443: psh 2563677941 ack 2109862197 
2012-06-19 09:40:28.698839 internal -- 10.120.0.125.443 -> 10.120.2.82.1615: ack 2563678139 
2012-06-19 09:40:28.707540 internal -- 10.120.2.82.1615 -> 10.120.0.125.443: psh 2563678139 ack 2109862197 
2012-06-19 09:40:28.707590 internal -- 10.120.0.125.443 -> 10.120.2.82.1615: ack 2563678176

3) From another host on the 10.120.0.0/22 network: ping should work, other services should be blocked

• ping: response from the FortiGate

fortinet@ubuntu11:~$ping 10.120.0.125
PING 10.120.0.125 (10.120.0.125) 56(84) bytes of data.
64 bytes from 10.120.0.125: icmp_req=1 ttl=255 time=1.30 ms
64 bytes from 10.120.0.125: icmp_req=2 ttl=255 time=0.378 ms
^C
---10.120.0.125 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.378/0.842/1.307/0.465 ms

• ssh: no response from the FortiGate

fortinet@ubuntu11:~$ssh admin@10.120.0.125
^C

• telnet: no response from the FortiGate

fortinet@ubuntu11:~$telnet 10.120.0.125
Trying 10.120.0.125...
telnet:Unable to connect to remote host: Connection timed out
fortinet@ubuntu11:~$

• HTTP: no response from the FortiGate

fortinet@ubuntu11:~$ wget http://10.120.0.125
--2012-06-19 10:52:51-- http://10.120.0.125/
Connecting to 10.120.0.125:80... failed: Connection timed out.
Retrying.
--2012-06-19 10:56:01-- (try: 2) http://10.120.0.125/
Connecting to 10.120.0.125:80... 
^C

• HTTPS: no response from the FortiGate

fortinet@ubuntu11:~$wget https://10.120.0.125
--2012-06-19 10:56:06-- https://10.120.0.125/
Connecting to 10.120.0.125:443... failed: Connection timed out.
Retrying.
--2012-06-19
10:59:17-- (try: 2) https://10.120.0.125/
Connecting
to 10.120.0.125:443... 
^C

4) Host on the 172.31.224.0/22 network: all services should be blocked

• ping: no response from the FortiGate

FGT50B-5
# diagnose sniffer packet internal 'proto 1' 4 2 a
interfaces=[internal]
filters=[proto 1]
2012-06-19 10:09:21.608205 internal -- 172.31.224.126 -> 10.120.0.125: icmp: echo request
2012-06-19 10:09:22.598065 internal -- 172.31.224.126 -> 10.120.0.125: icmp: echo request

Troubleshooting

Usual troubleshooting commands, like

diag sniffer packet
diag debug flow