There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate.

It is strongly recommended to restrict the login from those malicious IPs. Below are sample logs indicating brute force attempts from attackers.

To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH) of the firewall. local-in policy configuration is only available on the CLI.

1. Create a firewall address object for specific IPs, subnets, countries, and sources to restrict access to the administrative interface. In this example, a specific IP will be blocked:

config firewall address
    edit "Block_IP"
        set subnet 10.47.17.179 255.255.255.255
    next
end

2. Create a local-in policy and apply the created firewall address. The default action of the local-in policy is 'deny'.

config firewall local-in-policy
    edit 1
        set intf "port1" <----- ISP port (Port going to the Internet).
        set srcaddr "Block_IP"
        set dstaddr "all"
        set service "ALL" <----- Define specific service/s.
        set schedule "always"
    next
end

Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.

By default, local traffic logs in FortiGate are disabled. To enable local traffic logs, see Technical Tip: Local traffic logs tab shows no results.

To view local-in policy logs, navigate to Log & Report -> Local Traffic:

To allow login attempts only from the United States or a specific country and block access from the rest of the world, follow this sample script where login is permitted only from IP addresses belonging to the United States.

1. Create a Geo-IP Based Address for the United States.
   

   Ensure a Geo-IP address object for the United States is created. If it is not, follow the instructions in this Fortinet article to create one.

    

2. Configure Admin Access Control.
   Once the address object for the United States Geo-IP is created, use the following script to allow only United States-based IP addresses to access the admin login page. Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

Ignore the UUI Part in the previous screenshot.

Note: In the script below, the United States Geo-IP address object is named 'US'. Adjust the name in the script to match the address object name if it differs.

    edit 1
        set srcaddr "US" <- Specify the address object name for the United States here.

3. Verification.
   After running the above script, verify that the FortiGate admin login is accessible only from the United States and blocked from other countries.

4. Troubleshooting.
   If issues are encountered, ensure that the Geo-IP database is up-to-date by following the instructions in this article: Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database.

A more simple way for the same requirement as above where the FortiGate blocks HTTPS access from all non-US IP addresses can be done by utilizing the 'src-addr-negate' option in the local-in policy which is described in Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate...

config firewall local-in-policy

    edit 1

        set intf "wan"

        set srcaddr "US"

        set srcaddr-negate enable <----- This command will negate the rule. It will block all non-US IP addresses.

        set dstaddr "all"

        set action deny

        set service "HTTPS"

        set schedule "always"

        set status enable

    next

end