HI there, Im trying to configure a local in policy to allow a VOIP provider's ROBOT to be able to ping the Wan interface to report that the internet is up at any given stage.
I can do this but I want to limit the response to specific hosts Public IP addresses.
So I have a VLAN (10) configured as my PPP wan connection bound to the physical port wan1.
My VLAN interface is called WAN-UFB with an appropriate alias.
I have enabled ping on this interface and ZI can ping in from outside no problem.
Now I want to limit the hosts that can ping so I'm trying to create a couple of local-in-policy's bit I cant get past the set intf as follows:
config firewall local-in-policy
edit 1
set intf "WAN-UFB"
set srcaddr "xxx.xxx.xxx.xxx"
set dstaddr "all"
set service "PING"
set schedule "always"
next
end
When I get to intf, i get the error : " node_check_object fail! for intf Attribute 'intf' MUST be set. Command fail. Return code 1
What am I doing wrong?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What do you get when you type "set intf ?" after "edit 0"? You should see all possible interfaces in a list. Then WAN-UFB is supposed to be one of them. If it's not there, can you share the entire interface "WAN-UFB" config? You can mask sensitive information like username. Something in the config must be prohibiting.
Does the "WAN-UFB" happen to be an alias instead of its "real" vlan subinterface name?
Also by default the local-in-policy has "set action deny" if you don't configure. So you want to put "set action accept" in edit 1, then place "edit 2" with deny for all other source addresses.
You can see those default values with either "show full" or "get" under "edit x".
Toshi
Hey Toshi, thanks for responding.
No WAN-UFB is the actual VLAN interface name.
At this stage, I cant add any local-in-policies as I cant add the interface. Once Im able to do that, I can add any policies I need.
What do you get when you type "set intf ?" after "edit 0"? You should see all possible interfaces in a list. Then WAN-UFB is supposed to be one of them. If it's not there, can you share the entire interface "WAN-UFB" config? You can mask sensitive information like username. Something in the config must be prohibiting.
After edit 0, set intf ? I can see interfaces - thats great.
I think I now know what the issue is... I dodnt mentionen that I had added the WAN VLAN as a ZONE so now that I enter the ZONE as an interface it lets me add it. Now I can add the rest of the IN Policy/s by the looks of it.
Thanks so much for that Tosh - I'll let you know how I get on, that might not be until Monday.
HI Tosh that has solved toe problem. I needed to refer to the wan by the group name not the actual interface name.
Thanks for your responses, they led me to the solution :)
Once you started using zones in policies, you can't use member interfaces individually in any policies. I didn't know it applies to local-in-policies as well. But you just found it out.
haha, thats the nature of our industry - we never stop learning.
Hi there, also from NZ here, have a VLAN 10 on wan interface as pppoe. Wanting to only allow ping from Uptime robot IP list https://uptimerobot.com/inc/files/ips/IPv4.txt
Not sure how to accomplish, i see uptime robot service already in Fortigate, have tried some policy rules but can get working even with there main 4 ip's from dallas
What exactly doesn't work? Please show us the entire local-in policy in CLI and describe where it fails (on creation or execution).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.