Allow external ping from specific Hosts

NZ-Tech · ‎12-16-2021

HI there, Im trying to configure a local in policy to allow a VOIP provider's ROBOT to be able to ping the Wan interface to report that the internet is up at any given stage.

I can do this but I want to limit the response to specific hosts Public IP addresses.

So I have a VLAN (10) configured as my PPP wan connection bound to the physical port wan1.

My VLAN interface is called WAN-UFB with an appropriate alias.

I have enabled ping on this interface and ZI can ping in from outside no problem.

Now I want to limit the hosts that can ping so I'm trying to create a couple of local-in-policy's bit I cant get past the set intf as follows:

config firewall local-in-policy
    edit 1
        set intf "WAN-UFB"
        set srcaddr "xxx.xxx.xxx.xxx"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
end

When I get to intf, i get the error : " node_check_object fail! for intf Attribute 'intf' MUST be set. Command fail. Return code 1

What am I doing wrong?

Toshi_Esumi · ‎12-17-2021

What do you get when you type "set intf ?" after "edit 0"? You should see all possible interfaces in a list. Then WAN-UFB is supposed to be one of them. If it's not there, can you share the entire interface "WAN-UFB" config? You can mask sensitive information like username. Something in the config must be prohibiting.

View solution in original post

Toshi_Esumi · ‎12-16-2021

Does the "WAN-UFB" happen to be an alias instead of its "real" vlan subinterface name?

Also by default the local-in-policy has "set action deny" if you don't configure. So you want to put "set action accept" in edit 1, then place "edit 2" with deny for all other source addresses.

You can see those default values with either "show full" or "get" under "edit x".

Toshi

NZ-Tech · ‎12-17-2021

Hey Toshi, thanks for responding.

No WAN-UFB is the actual VLAN interface name.

At this stage, I cant add any local-in-policies as I cant add the interface. Once Im able to do that, I can add any policies I need.

Toshi_Esumi · ‎12-17-2021

What do you get when you type "set intf ?" after "edit 0"? You should see all possible interfaces in a list. Then WAN-UFB is supposed to be one of them. If it's not there, can you share the entire interface "WAN-UFB" config? You can mask sensitive information like username. Something in the config must be prohibiting.

NZ-Tech · ‎12-17-2021

After edit 0, set intf ? I can see interfaces - thats great.

I think I now know what the issue is... I dodnt mentionen that I had added the WAN VLAN as a ZONE so now that I enter the ZONE as an interface it lets me add it. Now I can add the rest of the IN Policy/s by the looks of it.

Thanks so much for that Tosh - I'll let you know how I get on, that might not be until Monday.

NZ-Tech · ‎12-19-2021

HI Tosh that has solved toe problem. I needed to refer to the wan by the group name not the actual interface name.

Thanks for your responses, they led me to the solution :)

Toshi_Esumi · ‎12-19-2021

Once you started using zones in policies, you can't use member interfaces individually in any policies. I didn't know it applies to local-in-policies as well. But you just found it out.

NZ-Tech · ‎12-19-2021

haha, thats the nature of our industry - we never stop learning.

fortihop · ‎02-19-2022

Hi there, also from NZ here, have a VLAN 10 on wan interface as pppoe. Wanting to only allow ping from Uptime robot IP list https://uptimerobot.com/inc/files/ips/IPv4.txt

Not sure how to accomplish, i see uptime robot service already in Fortigate, have tried some policy rules but can get working even with there main 4 ip's from dallas

ede_pfau · ‎02-19-2022

What exactly doesn't work? Please show us the entire local-in policy in CLI and describe where it fails (on creation or execution).

Ede Kernel panic: Aiee, killing interrupt handler!

Allow external ping from specific Hosts

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website