Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
train_wreck
New Contributor III

Created on ‎04-09-2020 03:51 AM

60E - Block traffic coming into firewall itself

I am getting hammered by a particular IP address on the WAN interface trying to brute force IPsec VPN (UDP port 500). How do I block traffic inbound to the device itself? I tried adding an IPv4 policy item with source & destination interface of "WAN1", a source address of the offending address, and a destination address of all. This did not work.

 

Cisco calls this the "control plane" traffic, which can be filtered just like regular interface access lists. Is this possible to do with Fortinet?

 

OS 6.0.

5925
0 Kudos
6 REPLIES 6
Markus
Valued Contributor

Created on ‎04-09-2020 04:15 AM

Try this as starting Point https://forum.fortinet.com/tm.aspx?m=177311&tree=true

 


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
4315
0 Kudos
train_wreck
New Contributor III
In response to Markus

Created on ‎04-09-2020 04:21 AM

Wow. According to that post, there is currently not a way to block inbound UDP port 500 or 4500 on an IP basis. This is something Cisco has no problem doing......

4315
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to train_wreck

Created on ‎04-09-2020 04:38 AM

What?

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "VPN_origin_countries"
        set dstaddr "all"
        set action accept
        set service "IKE"
        set schedule "always"
    next
end

works perfectly. Explained: only those IP addresses contained in address group "VPN_origin_countries" will be allowed to open IPsec negotiations.

Augment the service with a service group containing further protocols, like ESP and AH.

Finally, block "ALL" services from "any" address from accessing the FGT.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4315
0 Kudos
lobstercreed
Valued Contributor
In response to ede_pfau

Created on ‎04-09-2020 05:30 AM

Wil,

 

I wonder if you didn't read the whole post that Markus shared.  This is the full thread: https://forum.fortinet.com/tm.aspx?m=177311

 

OP "tripley" said that he did what was suggested and it solved his problem, so I'm not sure why you got out of it that it was unfixable...

 

- Daniel

4315
0 Kudos
tanr
Valued Contributor II
In response to lobstercreed

Created on ‎04-09-2020 04:44 PM

Note that your logs might not be showing the true picture for local-in and IKE.  That is, you may get invalid logs showing that something made it past local-in when in fact it did not.

 

See bug #0515255 and https://forum.fortinet.com/tm.aspx?m=166107 for details.

4315
0 Kudos
shlomi
New Contributor

Created on ‎04-15-2020 12:45 PM

below friend

 

https://forum.fortinet.com/tm.aspx?m=127587

4315
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.