Description |
This article describes how to allow IPsec VPN port 4500,500 and ESP protocol access to specific IP addresses only. |
Scope | FortiGate. |
Solution |
For Instance:
IPsec VPN site to site with the remote peer of 10.10.10.1 which opened IKE port 500, NAT-T port 4500, and protocol ESP to all IPs on the Internet. It will be limited to 10.10.10.1 only.
Port group can be configured from the physical interface under the Network --> Interfaces section:
- Create a firewall address object for the remote peer if not already created:
# config firewall address edit "RemotePeer1" set comment "Remote peer for VPN" set subnet 10.10.10.1 255.255.255.255 next end
- Create a rule to allow IKE and ESP from this peer on port1 (WAN interface):
# config firewall local-in-policy edit 0 set intf "LAN(port1)" set srcaddr "RemotePeer1" set dstaddr "all" set action accept set service "IKE" "ESP" //"IKE" (includes ports 500 and 4500) set schedule "always" next end
- Create a rule below to deny IKE and ESP protocols to everyone else:
# config firewall local-in-policy edit 0 set intf "LAN(port1)" set srcaddr "all" set dstaddr "all" set service "IKE" "ESP" set schedule "always" next end
Now, the FortiaGte will only answer to this remote peer 10.10.10.1 on port 500 UDP for IKE, port 4500 for NAT Traversal, and to protocol ESP on Phase 2 VPN.
Note:
Local-in policy is the policy guarding/protecting the FortiGate itself, i.e., it filters/restricts access when the destination is one of the FortiGate interfaces and its IPs.
It is visible in the GUI by default starting with FortiOS 7.x, but in older versions, go to System → Feature Visibility → Local-in Policy to make it so.
The Local-in policy can only be configured in CLI, the GUI display is read-only.
Additionally, the GUI displays only default rules, created automatically by the FortiGate when appropriate services are enabled. GUI will not show any rules you configure on CLI and thus may confuse vy thinking CLI-configured rules do not work. It is recommended to work on CLI from the beginning.
There are separate, IPv4 and IPv6, local-in policies.
The default action in rules is denied, so when no action is visible in the show output, it means the action is denied.
Virtual IPs (VIPs) override Local-in policies: By default, Local-in policy hits are not logged, it is necessary to set in Log Settings → Log All for denied packets to be logged. The logs are in the Local Traffic section.
It is possible to use Workspace Mode to prevent mistakenly locking out when changing the Local-in policy. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.