Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mannyc
New Contributor

Newbie - Re: fortigate 90E login failed alerts from blocked countries

Hello

We, as others, are trying to block certain repeat offender (countries) from attempting to and/or accessing our firewall.

We have a blocked-countries-group working with a deny all policy at the top of the list.  I receive admin alerts and I get several login attempts with src IP belonging to countries from that group.  Should that be happening?  I thought having that policy in place would essentially result in any and all packets coming from the blocked countries to just be dropped

 

Any clarification or guidance is appreciated

 

Thx

 

 

8 REPLIES 8
Dave_Hall
Honored Contributor

What you want to use is a Local-In policy for traffic directed at the Fortigate's front door. 

 

 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Mannyc

Hello Dave

Thank you for replying.  I don't know that much about router configs etc.  If you don't mind can you explain the following:

1- What exactly is the existing policy doing for us?  (our fortigate was config'd and put in place by a vendor - we don't know enough to make changes and feel confident they are done correctly)

2-The local-in policy you mention, is that something that can be done via the gui?

3-what is the difference between what you suggest and what is in place?

 

Thx

Dave_Hall
Honored Contributor

The fgt has a number of "open" ports that it listens in on, including ports for administrative access.  Local-in policies (for the most part) are meant to control (block or allow) this access. 

 

Here is a script example:

config firewall address     edit "China-Country"         set type geography         set associated-interface "wan1"         set country "CN"     next end

config firewall addrgrp     edit "blocked-countries-group"         set member "China-Country"     next end

config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "blocked-countries-group"         set dstaddr "all"         set service "ALL"         set schedule "always"     next end

 

(code snippy is from 5.2.)

 

But if you merely want to restrict admin log in access to local or trusted hosts (as tioeudes noted above) you may be better off doing that.  The section on restricting administrative access can be found here.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Mannyc

Hello

Thx again.

My confusion is that if we have a blocked geography group with some countries in it and we have destination all/service all/action deny (in the IPV4 policy as viewed in gui) then I would expect that if a login attempt from china comes in , the fgt will just check the address, identify it as china and just drop it.  If that were so, I should not be seeing alerts that say user "admin" from src china login failed invalid password 

that leads me to believe that the vendor did not config correctly.  I mean what if they brute force and end up getting in?

Thx

Dave_Hall
Honored Contributor

IPV4 policies only covers traffic that crosses an interface - not traffic that "hits" or is directed at the interface itself.   I would still have those IPV4 policies in place if you do not want inside endpoints (e.g on the LAN interface) from sending/receiving traffic to/from external addresses outside the fgt to/from a foreign country, especially at odd hours. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Mannyc

I think I am starting to see the light!

To me that distinction (crossing the interf vs hitting the interf) is not clear cut.  

So let me ask, if I use the CLI how can I show the config for policies?

How do I list my local-in's for example

how do I list the ones that are not local-in?

 

Thank you I really appreciate your help

 

Dave_Hall
Honored Contributor

Please review the info on the following link for Local-In policies: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/342743/local-in-policies

 

Use show firewall policy to list the existing firewall policies. Use show firewall local-in-policy to show existing local-in polices. 

Think of local-in policies is controlling administrative/management access to an interface - often this is usually the WAN or WAN1 interface, but could be any interface.  The key theme to keep in mind is there are open ports by default on the fgt and local-in policies can be used to control that.  That link above (local in policies) gives some examples of this with regards to restricting admin access (during certain times of the day). 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
tioeudes
Contributor

The IPV4 policies are there for traffic passing through the fgt.

The local-in policies are for traffic starting on / directed to your fortigate.

 

To protect your device from unauthorized admin login you can:

 

Disable HTTP/HTTPS/SSH/TELNET on you wan interfaces;

Set trusted hosts for your legit admin accounts (that you allow your admin to log only from trusted networks);

Define a password cration policy, forcing the admins to use only strong passwords;

Not an option for everyone, but you can set up two factor authentication for admin logins.

 

Regards,

tioeudes

Labels
Top Kudoed Authors