Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BlackIce
New Contributor

Block incoming traffic from all external sources in Fortigate

Hello,

 

We recently set up a Fortigate 6.2.5 device and set up IPsec VPN for external access for our co-workers.

 

Now, I would like to block all incoming external traffic (or at least restrict ports and so on), but I could not figure out what interface should I add the rules to.

 

I have tried adding some restrictions to WAN1 (incoming interface) > Internal (outgoing interface) but it does not seem to work, blocking rules are ignored, and no traffic goes through in the new rules.

 

In our previous router (from a different brand), I could simply apply a rule to the WAN1 interface, and that's all. What incoming/outgoing interface should be set to restrict the incoming external traffic?

 

Thank you for any help!

1 Solution
ede_pfau
Esteemed Contributor III

hi,

I have difficulties in understanding your question.

Policies control the traffic between pairs of interfaces, or rather, the networks attached to the interfaces. The WAN is one, and your LAN is another network. Per default, no traffic at all is allowed between networks ("whitelisting" model). If you want to allow some traffic, write a policy for the interface pair involved.

For example, you want to allow traffic from remote workers inbound to a LAN server. For IPsec VPN, the source interface is the dial-in VPN (the interface has the same name as the phase1); for SSLVPN, it's "SSL-VPN". The destination interface is "lan" or "port1", whatever you chose to use for this. Then you create address objects for the networks, or single server addresses (a.b.c.d/32), and specify the service(s) allowed. That's all.

Usually, you do not have direct access to internal networks from WAN. That's what VPN is for.

 

A totally different topic is how you would prevent WAN traffic from reaching the FGT itself. Sometimes, if the FGT is under constant attack, you exclude single addresses, or even countries, from accessing the FGT. This is done in Local policies. These can be useful, but are not really common in reality (YMMV).


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

2 REPLIES 2
ede_pfau
Esteemed Contributor III

hi,

I have difficulties in understanding your question.

Policies control the traffic between pairs of interfaces, or rather, the networks attached to the interfaces. The WAN is one, and your LAN is another network. Per default, no traffic at all is allowed between networks ("whitelisting" model). If you want to allow some traffic, write a policy for the interface pair involved.

For example, you want to allow traffic from remote workers inbound to a LAN server. For IPsec VPN, the source interface is the dial-in VPN (the interface has the same name as the phase1); for SSLVPN, it's "SSL-VPN". The destination interface is "lan" or "port1", whatever you chose to use for this. Then you create address objects for the networks, or single server addresses (a.b.c.d/32), and specify the service(s) allowed. That's all.

Usually, you do not have direct access to internal networks from WAN. That's what VPN is for.

 

A totally different topic is how you would prevent WAN traffic from reaching the FGT itself. Sometimes, if the FGT is under constant attack, you exclude single addresses, or even countries, from accessing the FGT. This is done in Local policies. These can be useful, but are not really common in reality (YMMV).


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

R_F
New Contributor III

how about working with local in policy? pls see below link for reference.

Cookbook | FortiGate / FortiOS 6.2.10 | Fortinet Documentation Library