Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate

There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate.

It is strongly recommended to restrict the login from those malicious IPs. Below are sample logs indicating brute force attempts from attackers.

To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH) of the firewall. local-in policy configuration is only available on the CLI.

1. Create a firewall address object for specific IPs, subnets, countries, and sources to restrict access to the administrative interface. In this example, a specific IP will be blocked:

config firewall address
    edit "Block_IP"
        set subnet 10.47.17.179 255.255.255.255
    next
end

2. Create a local-in policy and apply the created firewall address. The default action of the local-in policy is 'deny'.

config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "Block_IP"
        set dstaddr "all"
        set service "ALL" <----- Define specific service/s.
        set schedule "always"
    next
end

Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.

By default, local traffic logs in FortiGate are disabled. To enable local traffic logs, see Technical Tip: Local traffic logs tab shows no results.

To view local-in policy logs, navigate to Log & Report -> Local Traffic:

To allow login attempts only from the United States or a specific country and block access from the rest of the world, follow this sample script where login is permitted only from IP addresses belonging to the United States.

1. Create a Geo-IP Based Address for the United States.
   

   Ensure a Geo-IP address object for the United States is created. If it is not, follow the instructions in this Fortinet article to create one.

    

2. Configure Admin Access Control.
   Once the address object for the United States Geo-IP is created, use the following script to allow only United States-based IP addresses to access the admin login page. Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

Ignore the UUI Part in the previous screenshot.

Note: In the script below, the United States Geo-IP address object is named 'US'. Adjust the name in the script to match the address object name if it differs.

    edit 1
        set srcaddr "US" <- Specify the address object name for the United States here.

3. Verification.
   After running the above script, verify that the FortiGate admin login is accessible only from the United States and blocked from other countries.

4. Troubleshooting.
   If issues are encountered, ensure that the Geo-IP database is up-to-date by following the instructions in this article: Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database.