Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum this December to earn your exclusive Holiday Badge! Become a member today.
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Allow ping access from a specific ip only
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow ping access from a specific ip only
Hello everyone
the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.
If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.
But then everyone may Ping my external Interface.
So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
***** The local-in Policy as described in the KB Article ******
config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end
while "trusted-1" == 12.12.12.12 /32 (of course i changed the original source IP)
And "wan2" is the correct interface here.
************************************************************
***** Here the syslog if i try a PING from IP 12.12.12.12******
Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Here i see "deny and policyid=0 and policytype=local-in-policy".
************************************************************
***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******
8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
As you see no reply is working.
************************************************************
The routing table is set correctly.
If i enable PING over GUI on the WAN2 interface, it immediately works.
So problem seems to be the local-in-policy ?!
Can anybody help me?
Someone had the same problem?
Best Regards
Danfor
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set status disable...seen this?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.
Sorry, confusing.
But it doesn't work with "set status enable".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try this ,
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "YOUR TRUSTED IP" set dstaddr "all" set action accept set service "ALL_ICMP" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "ALL_ICMP" set schedule "always" next end
I have been using this for a while now and it has always worked for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oscar,
thank you for your post.
Hmmmm interesting.... actually it is still not working but:
I made the config as you described:
XXXXX (local-in-policy) # edit 1 XXXXX (1) # get policyid : 1 intf : wan2 srcaddr : "trusted-1" dstaddr : "all" action : accept service : "ALL_ICMP" schedule : always status : enable comments : XXXXX (local-in-policy) # edit 2 XXXXX (2) # get policyid : 2 intf : wan2 srcaddr : "all" dstaddr : "all" action : deny service : "ALL_ICMP" schedule : always status : enable comments :
Now in the syslog i see the same as before:
...deny, policyid=0, local-in-policy,.....
Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
If i disable local-policy 1 (which should allow the ping):
...deny, policyid=2, local-in-policy,..... <-- it says policyid=2
That means local-policy (2) works if i disable local-policy (1).
But local-policy (2) doesn't work if i enable local-policy (1).... instead policyid (0) is working....
Strange behavior, i guess.
Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Do i have to enable local-policies configured over CLI or something like that?
Thank you people for reading and helping!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's strange. This worked for me every time.
Another options is , create a loopback interface and add VIP to it. In policy allow ICMP only from your trusted host.
Thank You,
Oscar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i have the solution.
If i enable PING on the GUI the first time, everyone can now Ping this interface.
NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.
Problem solved.
My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.
Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.
Now i know: enabling PING on the GUI it is like activating the service.
After that i have to create local-in-policies to limit access. Than it works.
Thank you guys for helping!
Learned something again.
Greetings
Danfor
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Redistribute BGP-TO-OSPF using route map 31 Views
- Event log when modify, crete, add... 66 Views
- Forticlient VPN connect issue 103 Views
- Trouble with dual wan setup 345 Views
- adding second tier group of switches... 72 Views
Labels
-
FortiGate
5,093 -
FortiClient
1,036 -
5.2
801 -
5.4
639 -
FortiManager
475 -
6.0
416 -
5.6
362 -
FortiAnalyzer
326 -
6.2
251 -
FortiSwitch
240 -
FortiAP
237 -
FortiClient EMS
205 -
FortiAuthenticator
198 -
5.0
196 -
FortiMail
196 -
6.4
128 -
FortiWeb
112 -
FortiGuard
80 -
FortiGateCloud
77 -
FortiSIEM
70 -
FortiCloud Products
66 -
FortiNAC
66 -
4.0MR3
64 -
FortiToken
53 -
Customer Service
53 -
Wireless Controller
42 -
FortiADC
35 -
FortiProxy
30 -
FortiDNS
30 -
FortiGate v5.4
29 -
Fortivoice
29 -
FortiEDR
26 -
FortiSwitch v6.4
25 -
FortiConnect
25 -
FortiExtender
25 -
FortiSandbox
23 -
FortiConverter
18 -
FortiWAN
17 -
FortiSwitch v6.2
14 -
FortiMonitor
11 -
FortiPortal
11 -
FortiGate v5.2
10 -
FortiCASB
10 -
FortiManager v5.0
9 -
FortiDDoS
9 -
4.0MR2
9 -
FortiSOAR
7 -
FortiGate v5.0
7 -
FortiAnalyzer v5.0
7 -
FortiRecorder
7 -
4.0
7 -
RMA Information and Announcements
5 -
FortiBridge
5 -
FortiCarrier
4 -
3.6
4 -
FortiManager v4.0
4 -
FortiWeb v5.0
3 -
FortiDirector
3 -
FortiCache
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
FortiAI
2 -
FortiTester
2 -
FortiScan
2 -
FortiGate v4.0 MR3
2 -
4.0MR1
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiHypervisor
1 -
FortiNDR
1 -
FortiManager-VM
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.