Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
billp
Contributor

Allow pings on Wan1 from Address Group?

I' m running 5.0.7 on a 600C. I' d like to enable Ping on the Wan1 interface, but only want to make it accessible for a limited number of outside addresses. Any idea if this is possible? I tried this policy, but it did not work (Monitor1 contains all my allowed addresses).
 config firewall interface-policy
     edit 1
         set interface " wan1" 
         set srcaddr " Monitor1" 
         set dstaddr " all" 
         set service " PING" 
     next
 end
 
Thanks.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
10 REPLIES 10
Dave_Hall
Honored Contributor

I think what you are after is to enable ping on the WAN1 interface (under config system interface) then create a local-in-policy...something like....
 config firewall local-in-policy
 edit 1
 set action enable
 set intf wan1
 set srcaddr " Monitor1" 
 set dstaddr " all" 
 set service " PING" 
 set schedule " always" 
 set status enable
 next
 end
 
...then create another local-in-policy below that to block pings from other sources. edit: sorry, I think I misread your post. If you want to give ping access to a small group of addresses on the inside (pinging out), your policy should look something like this:
 config firewall policy
 edit 1
 set action accept
 srcintf " internal" 
 set srcaddr " Monitor1"  
 dstintf " WAN1" 
 set dstaddr " all"  
 set service " PING"  
 set schedule " always" 
 next
 end
 
Then create another firewall policy below that to block ping access. Move both fw policies up the fw chain so they will get execute.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ede_pfau
Esteemed Contributor III

hi Bill, you' re playing with Interface policies? Nice idea, one of the lesser used methods in FortiOS. I' ve got to read in on this but from first sight I' d say the problem is about ' source address' and ' dest address' . These have different meanings in IF-policies as the policy does not connect 2 interfaces. Might be that you can only use one at a time, either src or dst.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
billp

you' re playing with Interface policies? Nice idea, one of the lesser used methods in FortiOS.
Ede, I had trouble getting my interface policy to work, so I switched to using a local-in policy. In hindsight, I think I used the wrong srcaddr group accidentally (I had two that had similar names), so using an interface policy might still have been a workable way to go here. That' s one of the great things about the Fortigate. . .the CLI is complex enough that it gives you the freedom to come up with multiple solutions.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
FortiAdam
Contributor II

First off, are you trying to ping the interface IP address of wan1 or a VIP? Are you utilizing the trusted hosts function on your administrator account? AFAIK ping is an administrative access function so I think you would need to add the IPs or networks from your " monitor" group to the trusted hosts for one of your administrators. If you aren' t using trusted hosts on your administrators, then everyone should be able to ping at which point you could create the necessary interface policy to allow ping from your specified hosts but block everyone else. If you are trying to ping a VIP then the story changes a little but it is still possible.
emnoc
Esteemed Contributor III

Agreed and remember to use the diag debug flow to see what' s happening for whatever you try. We personally use the trusthost method to control this but a lot of other find this to generic and broad. Follow up on what you finally do.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
billp
Contributor

Thank you all for your replies. Dave' s suggestion for using local-in policies came closest to what I was trying to accomplish. I wanted to allow selected servers from a remote monitoring service to be able to ping the primary IP on our WAN1 interface. (I wasn' t trying to allow pings to a VIP. I' m pretty sure I could allow that using a regular firewall policy. I didn' t think of using the TrustedHosts method to allow pings, but that method seems a little broad for my approach.) Here' s what I did to get this to work: 1. Enable PING administration access on the Wan1 interface. 2. Create two local-in policies per Dave' s suggestion: The first policy allows pings from my remote monitoring group. The second policy denies pings from all addresses. Here' s the exact config in case anyone else wants to try this:
 config system interface
     edit " wan1" 
         set allowaccess ping
     next
  end
 
 config firewall local-in-policy
     edit 1
         set intf " wan1" 
         set srcaddr " MonitorGroup1" 
         set dstaddr " all" 
         set action accept
         set service " PING" 
         set schedule " always" 
     next
     edit 2
         set intf " wan1" 
         set srcaddr " all" 
         set dstaddr " all" 
         set service " PING" 
         set schedule " always" 
     next
 end
 
The second policy has an implied/default deny action, so it does not show. Thanks again.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
jorge9090
New Contributor

Great! Thank you for posting the solution
ede_pfau
Esteemed Contributor III

Bill, thanks for the follow-up. Now that I know what you were after I know you had to use local-in policies. They control traffic to and from the FGT itself, whereas interface and regular policies control traffic through the fortigate. I don' t think that an interface policy would have worked as the intended traffic was directed at the FGT itself. But then again...what do I know? I' ll test it when I' m back in the office after holidays. Or you do in the meantime, and tell us what is what.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
billp
Contributor

Now that I know what you were after I know you had to use local-in policies. They control traffic to and from the FGT itself, whereas interface and regular policies control traffic through the fortigate.
Ede, Thank you. I think that' s the best description of local-in policies I' ve read. Since my ping setup is now working with local-in policies, I don' t want to try tinkering with interface policies on my live box. But if you test, please let me know :)

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Labels
Top Kudoed Authors