Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate enable option

ronmar · ‎12-17-2024

Description

This article describes how to configure a local-in policy to allow only specific subnets to access the FortiGate using the srcaddr-negate enable option.

Scope

FortiGate.

Solution

The local-in policy is being applied to filter or deny local traffic to the FortiGate in the interface level.

Usually, Two (2) Local-in policy rules are created to allow specific subnets and deny the rest of the IPs.

The First rule is to allow IPs which can be via GEO IP or an Address object or group.

Then the Second rule is to deny all IP addresses.

Example configuration local-in policy:

config firewall local-in-policy

edit 1

set intf "wan1"

set srcaddr "Allowed_subnet"

set dstaddr "all"

set action accept

set service "HTTPS"

set schedule "always"

set status enable

set intf "wan1"

set srcaddr "all"

set dstaddr "all"

set action deny

set service "HTTPS"

set schedule "always"

set status enable

Here is the configuration when using srcaddr-negate enable option.

config firewall local-in-policy

edit 1

set intf "wan1"

set srcaddr "Allowed_subnet"

set srcaddr-negate enable <- This command will negate the rule. It will only allow IPs on the Allowed_subnet and then deny all IP addresses.

set dstaddr "all"

set action deny

set service "HTTPS"

set schedule "always"

set status enable

This single local-in policy rule will deny all the HTTPS traffic to FortiGate except for the IP addresses on the 'Allowed_subnet' Firewall address group.

Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate enable option

You are leaving our website