FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carlosaleman
Staff
Staff
Article Id 280765
Description This article describes how to block the IGMP protocol using a local policy.
Scope FortiGate v6.0 and above.
Solution

If it is necessary to block a specific protocol when it reaches a FortiGate interface without needing to know the port used, follow this method.

 

The IGMP protocol will be blocked in this example.

 

Create a custom firewall service:

 

config firewall service custom

edit IGMP

set category "Network Services"

set protocol IP

set protocol-number 2

next

end

 

Find a list of protocols and their corresponding numbers in the FortiGate handbook

 

After, it will only be necessary to create the local in policy using the new custom service:

 

config firewall local-in-policy

edit 1

set intf wan1

set srcaddr all

set dstaddr all

set service IGMP

set schedule always

set action deny

next

end

 

This method can be used to block some other protocols as well.

 

Note 1
In FortiGate V7.6.0 and above, the Local-in-Policy can be found in the GUI itself. Select Policy & Objects -> Local-In-Policy -> Create New and select all the options required and, in the service, select IGMP.

 

spoojary_1-1726674143329.png

Note 2:

After upgrading to v7.4.6 or v7.6.1, local in policies will be removed or show an empty value if the interface is part of the SD-WAN zone. After the upgrade, manually create the local in policy again with the SD-WAN zone. After these upgrades, member interfaces of the SD-WAN zone can not be assigned individually in local in policies.

SAVE.png
Refer to this KB article for the above upgrade change information:Troubleshooting Tip: Local-in, Central-SNAT, DoS policies etc are missing after upgrade to FortiOS v...