Hello everyone
the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.
If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.
But then everyone may Ping my external Interface.
So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
***** The local-in Policy as described in the KB Article ******
config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end
while "trusted-1" == 12.12.12.12 /32 (of course i changed the original source IP)
And "wan2" is the correct interface here.
************************************************************
***** Here the syslog if i try a PING from IP 12.12.12.12******
Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Here i see "deny and policyid=0 and policytype=local-in-policy".
************************************************************
***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******
8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
As you see no reply is working.
************************************************************
The routing table is set correctly.
If i enable PING over GUI on the WAN2 interface, it immediately works.
So problem seems to be the local-in-policy ?!
Can anybody help me?
Someone had the same problem?
Best Regards
Danfor
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
set status disable...seen this?
Hi Ede,
oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.
Sorry, confusing.
But it doesn't work with "set status enable".
Hi,
Try this ,
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "YOUR TRUSTED IP" set dstaddr "all" set action accept set service "ALL_ICMP" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "ALL_ICMP" set schedule "always" next end
I have been using this for a while now and it has always worked for me.
Hi Oscar,
thank you for your post.
Hmmmm interesting.... actually it is still not working but:
I made the config as you described:
XXXXX (local-in-policy) # edit 1 XXXXX (1) # get policyid : 1 intf : wan2 srcaddr : "trusted-1" dstaddr : "all" action : accept service : "ALL_ICMP" schedule : always status : enable comments : XXXXX (local-in-policy) # edit 2 XXXXX (2) # get policyid : 2 intf : wan2 srcaddr : "all" dstaddr : "all" action : deny service : "ALL_ICMP" schedule : always status : enable comments :
Now in the syslog i see the same as before:
...deny, policyid=0, local-in-policy,.....
Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
If i disable local-policy 1 (which should allow the ping):
...deny, policyid=2, local-in-policy,..... <-- it says policyid=2
That means local-policy (2) works if i disable local-policy (1).
But local-policy (2) doesn't work if i enable local-policy (1).... instead policyid (0) is working....
Strange behavior, i guess.
Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Do i have to enable local-policies configured over CLI or something like that?
Thank you people for reading and helping!
that's strange. This worked for me every time.
Another options is , create a loopback interface and add VIP to it. In policy allow ICMP only from your trusted host.
Thank You,
Oscar
OK i have the solution.
If i enable PING on the GUI the first time, everyone can now Ping this interface.
NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.
Problem solved.
My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.
Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.
Now i know: enabling PING on the GUI it is like activating the service.
After that i have to create local-in-policies to limit access. Than it works.
Thank you guys for helping!
Learned something again.
Greetings
Danfor
Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.