| Description | This article describes how to block the IGMP protocol using a local policy. |
| Scope | FortiGate v6.0 and above. |
| Solution |
If it is necessary to block a specific protocol when it reaches a FortiGate interface without needing to know the port used, follow this method.
The IGMP protocol will be blocked in this example.
Create a custom firewall service:
config firewall service custom edit IGMP set category "Network Services" set protocol IP set protocol-number 2 next end
Find a list of protocols and their corresponding numbers in the FortiGate handbook
After, it will only be necessary to create the local in policy using the new custom service:
config firewall local-in-policy edit 1 set intf wan1 set srcaddr all set dstaddr all set service IGMP set schedule always set action deny next end
This method can be used to block some other protocols as well.
Note 1:
 Note 2: After upgrading to v7.4.6 or v7.6.1, local in policies will be removed or show an empty value if the interface is part of the SD-WAN zone. After the upgrade, manually create the local in policy again with the SD-WAN zone. After these upgrades, member interfaces of the SD-WAN zone can not be assigned individually in local in policies.  Refer to this KB article for the above upgrade change information:Troubleshooting Tip: Local-in, Central-SNAT, DoS policies etc are missing after upgrade to FortiOS v... |
