Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR (on-premise)
- FortiNAC-F
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Allow ping access from a specific ip only
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow ping access from a specific ip only
Hello everyone
the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.
If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.
But then everyone may Ping my external Interface.
So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
***** The local-in Policy as described in the KB Article ******
config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end
while "trusted-1" == 12.12.12.12 /32 (of course i changed the original source IP)
And "wan2" is the correct interface here.
************************************************************
***** Here the syslog if i try a PING from IP 12.12.12.12******
Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Here i see "deny and policyid=0 and policytype=local-in-policy".
************************************************************
***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******
8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
As you see no reply is working.
************************************************************
The routing table is set correctly.
If i enable PING over GUI on the WAN2 interface, it immediately works.
So problem seems to be the local-in-policy ?!
Can anybody help me?
Someone had the same problem?
Best Regards
Danfor
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set status disable...seen this?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.
Sorry, confusing.
But it doesn't work with "set status enable".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try this ,
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "YOUR TRUSTED IP" set dstaddr "all" set action accept set service "ALL_ICMP" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "ALL_ICMP" set schedule "always" next end
I have been using this for a while now and it has always worked for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oscar,
thank you for your post.
Hmmmm interesting.... actually it is still not working but:
I made the config as you described:
XXXXX (local-in-policy) # edit 1 XXXXX (1) # get policyid : 1 intf : wan2 srcaddr : "trusted-1" dstaddr : "all" action : accept service : "ALL_ICMP" schedule : always status : enable comments : XXXXX (local-in-policy) # edit 2 XXXXX (2) # get policyid : 2 intf : wan2 srcaddr : "all" dstaddr : "all" action : deny service : "ALL_ICMP" schedule : always status : enable comments :
Now in the syslog i see the same as before:
...deny, policyid=0, local-in-policy,.....
Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
If i disable local-policy 1 (which should allow the ping):
...deny, policyid=2, local-in-policy,..... <-- it says policyid=2
That means local-policy (2) works if i disable local-policy (1).
But local-policy (2) doesn't work if i enable local-policy (1).... instead policyid (0) is working....
Strange behavior, i guess.
Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Do i have to enable local-policies configured over CLI or something like that?
Thank you people for reading and helping!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's strange. This worked for me every time.
Another options is , create a loopback interface and add VIP to it. In policy allow ICMP only from your trusted host.
Thank You,
Oscar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i have the solution.
If i enable PING on the GUI the first time, everyone can now Ping this interface.
NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.
Problem solved.
My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.
Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.
Now i know: enabling PING on the GUI it is like activating the service.
After that i have to create local-in-policies to limit access. Than it works.
Thank you guys for helping!
Learned something again.
Greetings
Danfor
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Labels
-
FortiGate
9,797 -
FortiClient
1,998 -
FortiManager
831 -
5.2
801 -
FortiAnalyzer
644 -
5.4
639 -
FortiSwitch
538 -
FortiAP
526 -
FortiClient EMS
500 -
6.0
416 -
5.6
362 -
FortiMail
357 -
SSL-VPN
324 -
IPsec
316 -
6.2
251 -
FortiNAC
243 -
FortiAuthenticator v5.5
234 -
FortiWeb
234 -
5.0
196 -
SD-WAN
162 -
FortiGuard
155 -
FortiAuthenticator
143 -
6.4
128 -
Firewall policy
118 -
FortiGateCloud
111 -
FortiSIEM
109 -
FortiCloud Products
106 -
FortiToken
100 -
Wireless Controller
91 -
Customer Service
84 -
High Availability
75 -
FortiGate-VM
74 -
FortiProxy
72 -
ZTNA
68 -
4.0MR3
64 -
Fortivoice
64 -
FortiEDR
64 -
VLAN
64 -
Routing
61 -
DNS
61 -
FortiADC
60 -
SAML
58 -
BGP
55 -
Authentication
54 -
Certificate
52 -
FortiSandbox
51 -
RADIUS
51 -
LDAP
50 -
NAT
49 -
FortiExtender
47 -
SSO
46 -
FortiDNS
43 -
FortiLink
42 -
FortiGate v5.4
37 -
VDOM
37 -
Application control
37 -
Logging
36 -
FortiSwitch v6.4
35 -
Interface
35 -
FortiConnect
34 -
FortiWAN
31 -
Virtual IP
31 -
Web profile
30 -
FortiPAM
29 -
FortiGate v5.2
27 -
FortiConverter
27 -
SSL SSH inspection
25 -
Traffic shaping
24 -
FortiPortal
23 -
Static route
23 -
FortiGate Cloud
22 -
Automation
22 -
SSID
21 -
FortiSwitch v6.2
20 -
SNMP
20 -
FortiMonitor
19 -
WAN optimization
19 -
OSPF
17 -
API
17 -
System settings
17 -
FortiDDoS
15 -
Admin
15 -
Security profile
15 -
FortiAP profile
15 -
Web application firewall profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
IPS signature
14 -
Proxy policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Explicit proxy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Users
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
FortiAnalyzer v5.0
9 -
RMA Information and Announcements
9 -
DNS filter
9 -
trunk
9 -
Fortinet Engage Partner Program
9 -
FortiCache
8 -
Antivirus profile
8 -
4.0
7 -
Application signature
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2316 | |
| 1256 | |
| 772 | |
| 453 | |
| 430 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.