Description | This article describes how to use local-in policies to restrict administrative access from attackers or malicious IPs trying to get into the FortiGate. |
Scope | FortiGate. |
Solution |
There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate. It is strongly recommended to restrict the login to those malicious IPs. Below are sample logs indicating brute force attempts from attackers.
To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH,SNMP) of the firewall.
Local-in Policy is configurable only from CLI for FortiOS 7.4 and below.
config firewall address
config firewall local-in-policy
Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.
By default, local traffic logs in FortiGate are disabled. To enable local traffic logs, see Technical Tip: Local traffic logs tab shows no results
To view local-in policy logs, navigate to Log & Report -> Local Traffic:
To allow login attempts only from the United States or a specific country and block access from the rest of the world, follow this sample script, where login is permitted only from IP addresses belonging to the United States.
Ignore the UUI Part in the previous screenshot.
Note: In the script below, the United States Geo-IP address object is named 'US'. Adjust the name in the script to match the address object name if it differs.
A simpler way for the same requirement as above, where the FortiGate blocks HTTPS access from all non-US IP addresses, can be done by utilizing the 'src-addr-negate' option in the local-in policy, which is described in Technical Tip: How to configure a local-in policy to only allow specific subnet using srcaddr-negate...
config firewall local-in-policy edit 1 set intf "wan" set srcaddr "US" set srcaddr-negate enable <----- This command will negate the rule. It will block all non-US IP addresses. set dstaddr "all" set action deny set service "HTTPS" set schedule "always" set status enable next end
When using the 'United States' geographical address group in the srcaddr field, this will also exclude RFC 1918 private subnet ranges. For instance, if an administrator tries to access FortiGate on the LAN port using 192.168.1.99, it will be blocked as it is a private IP address, which would not be defined in the Geographical IP ranges for any country.
The best option would be to have a Geo address 'US' as well as a local subnet in an address group, and then apply it in local-in-policy.
config firewall address edit "Lan" set subnet 192.168.1.0 255.255.255.0 end config firewall address edit 'US' set type geography set country 'US' end config firewall addrgrp edit 'Allowed' set member 'Lan' 'US' end
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "Allowed" set srcaddr-negate enable <----- This command will negate the rule. It will only allow IPs on the allowed subnet and then deny all IP addresses. set dstaddr "all" set action deny set service "HTTPS" set schedule "always" set status enable next end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.