Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate

There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate.

It is strongly recommended to restrict the login from those malicious IPs. Below are sample logs indicating brute force attempts from attackers.

To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH) of the firewall. local-in policy configuration is only available on the CLI.

1. Create a firewall address object for specific IPs, subnets, countries, and sources to restrict access to the administrative interface. In this example, a specific IP will be blocked:

config firewall address
    edit "Block_IP"
        set subnet 10.47.17.179 255.255.255.255
    next
end

2. Create a local-in policy and apply the created firewall address. The default action of the local-in policy is 'deny'.

config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "Block_IP"
        set dstaddr "all"
        set service "ALL" <----- Define specific service/s.
        set schedule "always"
    next
end

Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.

By default, local traffic logs in FortiGate are disabled. To enable local traffic logs:

Technical Tip: Local traffic logs tab shows no results

To view local-in policy logs, navigate to Log & Report -> Local Traffic: