- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow ping access from a specific ip only
Hello everyone
the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.
If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.
But then everyone may Ping my external Interface.
So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
***** The local-in Policy as described in the KB Article ******
config firewall local-in-policy edit 1 set intf "wan2" set srcaddr "trusted-1" set dstaddr "all" set action accept set service "PING" set schedule "always" set status enable next end
while "trusted-1" == 12.12.12.12 /32 (of course i changed the original source IP)
And "wan2" is the correct interface here.
************************************************************
***** Here the syslog if i try a PING from IP 12.12.12.12******
Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Here i see "deny and policyid=0 and policytype=local-in-policy".
************************************************************
***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******
8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request 12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
As you see no reply is working.
************************************************************
The routing table is set correctly.
If i enable PING over GUI on the WAN2 interface, it immediately works.
So problem seems to be the local-in-policy ?!
Can anybody help me?
Someone had the same problem?
Best Regards
Danfor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set status disable...seen this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.
Sorry, confusing.
But it doesn't work with "set status enable".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try this ,
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "YOUR TRUSTED IP" set dstaddr "all" set action accept set service "ALL_ICMP" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "ALL_ICMP" set schedule "always" next end
I have been using this for a while now and it has always worked for me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oscar,
thank you for your post.
Hmmmm interesting.... actually it is still not working but:
I made the config as you described:
XXXXX (local-in-policy) # edit 1 XXXXX (1) # get policyid : 1 intf : wan2 srcaddr : "trusted-1" dstaddr : "all" action : accept service : "ALL_ICMP" schedule : always status : enable comments : XXXXX (local-in-policy) # edit 2 XXXXX (2) # get policyid : 2 intf : wan2 srcaddr : "all" dstaddr : "all" action : deny service : "ALL_ICMP" schedule : always status : enable comments :
Now in the syslog i see the same as before:
...deny, policyid=0, local-in-policy,.....
Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
If i disable local-policy 1 (which should allow the ping):
...deny, policyid=2, local-in-policy,..... <-- it says policyid=2
That means local-policy (2) works if i disable local-policy (1).
But local-policy (2) doesn't work if i enable local-policy (1).... instead policyid (0) is working....
Strange behavior, i guess.
Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
Do i have to enable local-policies configured over CLI or something like that?
Thank you people for reading and helping!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's strange. This worked for me every time.
Another options is , create a loopback interface and add VIP to it. In policy allow ICMP only from your trusted host.
Thank You,
Oscar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i have the solution.
If i enable PING on the GUI the first time, everyone can now Ping this interface.
NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.
Problem solved.
My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.
Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.
Now i know: enabling PING on the GUI it is like activating the service.
After that i have to create local-in-policies to limit access. Than it works.
Thank you guys for helping!
Learned something again.
Greetings
Danfor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.
