FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pachavez
Staff & Editor
Staff & Editor
Article Id 297808
Description This article describes how to use local-in policies to restrict administrative access from attackers or malicious IPs trying to get into the FortiGate.
Scope FortiGate.
Solution

There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate.

It is strongly recommended to restrict the login to those malicious IPs. Below are sample logs indicating brute force attempts from attackers.

 

brute force logs edited.png

 

To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH,SNMP) of the firewall.

 

Local-in Policy is configurable only from CLI for FortiOS 7.4 and below.
Starting v7.6, local-in policy can be configured from GUI and CLI: GUI support for local-in policies

 

  1. Create a firewall address object for specific IPs, subnets, countries, and sources to restrict access to the administrative interface. In this example, a specific IP will be blocked:

 

config firewall address
    edit "Block_IP"
        set subnet 10.47.17.179 255.255.255.255
    next
end

 

  1. Create a local-in policy and apply the created firewall address. The default action of the local-in policy is 'deny'.

 

config firewall local-in-policy
    edit 1
        set intf "port1" <----- ISP port (Port going to the Internet).
        set srcaddr "Block_IP"
        set dstaddr "all"
        set service "ALL" <----- Define specific service/s.
        set schedule "always"
    next
end

 

Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.

 local-in 4.png

 

By default, local traffic logs in FortiGate are disabled. To enable local traffic logs, see Technical Tip: Local traffic logs tab shows no results

 

To view local-in policy logs, navigate to Log & Report -> Local Traffic:

 

local-in 3.PNG

 

To allow login attempts only from the United States or a specific country and block access from the rest of the world, follow this sample script, where login is permitted only from IP addresses belonging to the United States.

 

  1. Create a Geo-IP-Based Address for the United States: Ensure a Geo-IP address object for the United States is created. If it is not, follow the instructions in this document: Geography based addresses to create one.

     

  1. Configure Admin Access Control: Once the address object for the United States Geo-IP is created, use the following script to allow only United States-based IP addresses to access the admin login page. Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

 

image - 2024-08-07T151310.306.png

 

Ignore the UUI Part in the previous screenshot.

 

Note:

In the script below, the United States Geo-IP address object is named 'US'. Adjust the name in the script to match the address object name if it differs.


    edit 1
        set srcaddr "US" <- Specify the address object name for the United States here.

 

  1. Verification: After running the above script, verify that the FortiGate admin login is accessible only from the United States and blocked from other countries.

 

  1. Troubleshooting: If issues are encountered, ensure that the Geo-IP database is up-to-date by following the instructions in this article: Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database

 

A simpler way for the same requirement as above, where the FortiGate blocks HTTPS access from all non-US IP addresses, can be done by utilizing the 'src-addr-negate' option in the local-in policy, which is described in Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate...

 

config firewall local-in-policy

    edit 1

        set intf "wan"

        set srcaddr "US"

        set srcaddr-negate enable <----- This command will negate the rule. It will block all non-US IP addresses.

        set dstaddr "all"

        set action deny

        set service "HTTPS"

        set schedule "always"

        set status enable

    next

end

 

When using the 'United States' geographical address group in the srcaddr field, this will also exclude RFC 1918 private subnet ranges. For instance, if an administrator tries to access FortiGate on the LAN port using 192.168.1.99, it will be blocked as it is a private IP address, which would not be defined in the Geographical IP ranges for any country. 

 

The best option would be to have a Geo address 'US' as well as a local subnet in an address group, and then apply it in local-in-policy.

 

config firewall address

    edit "Lan"

        set subnet 192.168.1.0 255.255.255.0

end

config firewall address

    edit 'US'

        set type geography

        set country 'US'

end

config firewall addrgrp

    edit 'Allowed'

        set member 'Lan' 'US'

end

 

config firewall local-in-policy

    edit 1

        set intf "wan1"

        set srcaddr "Allowed"     

        set srcaddr-negate enable <----- This command will negate the rule. It will only allow IPs on the allowed subnet and then deny all IP addresses.

        set dstaddr "all"

        set action deny

        set service "HTTPS"

        set schedule "always"

        set status enable

    next

end


Related article:
Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI