| Description |
This article describes how to use an external connector (IP Address Threat Feed) in a local-in-policy. The example in this article will block the IP addresses in the feed. However, it is also possible to use a policy to allow IP addresses, such as in a whitelist. |
| Scope | From v7.2.4+ local-in-policy (CLI) | FortiGate v7.6.0+ (GUI) |
| Solution |
GUI example: In this example, it is configured an external IP threat feed named 'IP_Feed'.
Make sure to enable 'Local-In Policy' under System -> Feature Visibility to configure local-in policies from GUI.
Go to Policy & Objects -> Local-In Policy and select Create new.
Note: After v7.6.1+, local-in policies can not be configured with individual SD-WAN member interfaces but must be configured with the SD-WAN zone.
Refer to this article for more information: Troubleshooting Tip: Local-in, Central-SNAT, DoS policies etc are missing after upgrade to FortiOS v.... To block traffic with external threat feed for IP block list on SSL VPN with a local-in-policy, see Technical Tip: IOC as External resource to restrict random user login in SSL VPN.
CLI config example:
config system external-resource edit "External_IP_Feed" set type address set resource "http://<websiteaddressordomain>/tmp/IP_add_test.txt" set refresh-rate 1440 next end
config firewall local-in-policy edit 1 set intf "any" set srcaddr "External_IP_Feed" set dstaddr "all" set action <accept or deny> set service "ALL" set schedule "always" next end
Note: It may take a few minutes for the new IPs in the external list to be applied to the local-in-policy.
Result:
Some troubleshooting commands:
diagnose sys external-address-resource list diagnose sys external-address-resource list <name>
Example:
diagnose sys external-address-resource list
diagnose sys external-address-resource list External_IP_Feed
Related documents:
|
