Description
This article describes how to configure a local-in policy to restrict SSH admin access from a specific country using non-common ports.
Scope
FortiOS, FortiGate.
Solution
Configuration example:
- SSH port: 2246
- Country Allowed: Mexico
- Configure a Geo-IP object:
- Configure a Service Object:
- Enable the Local-In Policy feature.
- Configure a Local-In policy to allow the source country.
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "MEXICO"
set dstaddr "all"
set action accept
set service "SSH_Admin"
set schedule "always"
next
end
- Configure a Local-In policy to deny all other sources.
config firewall local-in-policy
edit 2
set intf "wan2"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "SSH_Admin"
set schedule "always"
set status enable
next
end
- Validate logs.
date=2024-10-21 time=09:18:05 id=7428248532324188160 itime="2024-10-21 08:18:07" euid=3 epid=101 dsteuid=3 dstepid=101 logflag=3 logver=702091688 sfsid=0 type="traffic" subtype="local" level="notice" action="deny" policyid=2 sessionid=269970 srcip=186.114.XX.XX dstip=XXX.XXX.XXX.XXX srcport=55018 dstport=2246 trandisp="noop" duration=0 proto=6 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid=0001000014 service="SSH_Admin" app="Console Management(SSH)" appcat="unscanned" srcintfrole="wan" dstintfrole="undefined" policytype="local-in-policy" eventtime=1729523884801061949 crscore=5 craction=262144 crlevel="low" poluuid="bb4b84cc-8f72-51ef-52c5-4fe64a174580" srccountry="Colombia" dstcountry="Reserved" srcintf="wan2" dstintf="root" tz="-0600" devid="FWFxxxxxxxx1157" vd="root" csf="fabric" dtime="2024-10-21 09:18:05" itime_t=1729523887 devname="FGT-JoN"
