Description

This article describes how to configure a local-in policy on a HA reserved management interface.

Scope

Administrators can configure a local-in policy through the CLI with various services and source and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.

Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.

However, the method differs slightly from the methods used by regular firewall interfaces.

Unlike with regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.

The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management interface to a local-in policy configuration.

Solution

Follow the steps below to configure a local-in policy associated with an HA reserved management interface.

In this environment, port6 has been set as a HA reserved management interface in HA configuration:

The following error will appear if an HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:

To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.

The purpose is to enable the dedication of an HA management interface only for the local-in policy.

conf firewall local-in-policy

    edit 1

        set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.

        set intf port6 <----- Now it is possible to apply port6 as an interface without any error.

        set srcaddr <source_address_name>

        set dstaddr <destination_address_name>

        set service <service_name>

        set action <accept/deny>

        set status <enable/disable>

    next

end

The local-in policy associated with the HA management interface (port6) has been successfully configured, as seen in the screenshot below:

The above example is to deny a specific connection towards FortiGate from the 1.1.1.1 source address.

If the aim is to allow administration access from a certain subnet alone, for example, '192.168.0.0/24', blocking all other connections, then the configuration would be as follows:

config firewall local-in-policy
    edit 1
        set ha-mgmt-intf-only enable
        set intf "port6"
        set srcaddr "192.168.0.0/24"
        set dstaddr "all"
        set action accept
        set service "ALL"
        set schedule "always"
   next
   edit 2
        set ha-mgmt-intf-only enable
        set intf "port6"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL"
        set schedule "always"
   next
end

In the above entry 1 ('edit 1') allows connections from 192.168.0.0/24 with action accept. Entry 2 ('edit 2') is required to block all other connections coming towards mgmt1 interface. Unlike IPv4 firewall policy, local-in-policy does not have a default implicit deny policy.

Note:

In the VDOM environment, this can be done on the specific VDOM where the HA management interface is allocated.

For example: the HA mgmt-interface in the diagram below is allocated to the root VDOM, so the result is that this policy can only be configured on the root VDOM.

This can only be configured in the management VDOM. By default, the root VDOM is the management VDOM.

Starting v7.6.0, it is now possible to create and delete local-in-policy from the GUI:

Local-in policies can be configured in the GUI and CLI starting v7.6.x: Local-in policy.