Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danfor443
New Contributor

Allow ping access from a specific ip only

Hello everyone

 

the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.

 

If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.

But then everyone may Ping my external Interface.

 

So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.

 

The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).

 

 

***** The local-in Policy as described in the KB Article ******

config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end

 

while "trusted-1" == 12.12.12.12 /32  (of course i changed the original source IP)

And "wan2" is the correct interface here.

************************************************************

 

 

 

 

***** Here the syslog if i try a PING from IP 12.12.12.12******

Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"

 

Here i see "deny and policyid=0 and policytype=local-in-policy".

************************************************************

 

 

 

 

 

***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******

8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request

 

As you see no reply is working.

************************************************************

 

 

The routing table is set correctly.

If i enable PING over GUI on the WAN2 interface, it immediately works.

 

So problem seems to be the local-in-policy ?!

 

Can anybody help me?

Someone had the same problem?

 

Best Regards

Danfor

7 REPLIES 7
ede_pfau
Esteemed Contributor III

set status disable
...seen this?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
danfor443

Hi Ede,

 

oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.

Sorry, confusing.

But it doesn't work with "set status enable".

oscar37

Hi,

 

Try this ,

 

config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "YOUR TRUSTED IP"         set dstaddr "all"         set action accept         set service "ALL_ICMP"         set schedule "always"     next     edit 2         set intf "wan1"         set srcaddr "all"         set dstaddr "all"         set service "ALL_ICMP"         set schedule "always"     next end

 

I have been using this for a while now and it has always worked for me.

 

 

 

danfor443

Hi Oscar,

 

thank you for your post.

 

Hmmmm interesting....  actually it is still not working but:

 

I made the config as you described:

 

XXXXX (local-in-policy) # edit 1 XXXXX (1) # get policyid            : 1 intf                : wan2 srcaddr             : "trusted-1" dstaddr             : "all" action              : accept service             : "ALL_ICMP" schedule            : always status              : enable comments            : XXXXX (local-in-policy) # edit 2 XXXXX (2) # get policyid            : 2 intf                : wan2 srcaddr             : "all" dstaddr             : "all" action              : deny service             : "ALL_ICMP" schedule            : always status              : enable comments            :

 

Now in the syslog i see the same as before:

 

...deny, policyid=0, local-in-policy,.....

 

Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"

 

 

If i disable local-policy 1 (which should allow the ping):

 

...deny, policyid=2, local-in-policy,.....    <-- it says policyid=2   

That means local-policy (2) works if i disable local-policy (1).

But local-policy (2) doesn't work if i enable local-policy (1)....   instead policyid (0) is working....

Strange behavior, i guess.

 

Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"

 

 

Do i have to enable local-policies configured over CLI or something like that?

 

Thank you people for reading and helping!

oscar37

that's strange. This worked for me every time.

 

Another options is , create a loopback interface and add VIP to it.   In policy allow ICMP only from your trusted host.

 

 

Thank You,

 

Oscar

 

 

 

danfor443

OK i have the solution.

 

If i enable PING on the GUI the first time, everyone can now Ping this interface.

NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.

Problem solved.

 

My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.

Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.

 

Now i know: enabling PING on the GUI it is like activating the service.

After that i have to create local-in-policies to limit access. Than it works.

 

 

Thank you guys for helping!

Learned something again.

 

Greetings

Danfor

ede_pfau
Esteemed Contributor III

Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.


Ede

"Kernel panic: Aiee, killing interrupt handler!"