config firewall interface-policy edit 1 set interface " wan1" set srcaddr " Monitor1" set dstaddr " all" set service " PING" next endThanks.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
config firewall local-in-policy edit 1 set action enable set intf wan1 set srcaddr " Monitor1" set dstaddr " all" set service " PING" set schedule " always" set status enable next end...then create another local-in-policy below that to block pings from other sources. edit: sorry, I think I misread your post. If you want to give ping access to a small group of addresses on the inside (pinging out), your policy should look something like this:
config firewall policy edit 1 set action accept srcintf " internal" set srcaddr " Monitor1" dstintf " WAN1" set dstaddr " all" set service " PING" set schedule " always" next endThen create another firewall policy below that to block ping access. Move both fw policies up the fw chain so they will get execute.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
you' re playing with Interface policies? Nice idea, one of the lesser used methods in FortiOS.Ede, I had trouble getting my interface policy to work, so I switched to using a local-in policy. In hindsight, I think I used the wrong srcaddr group accidentally (I had two that had similar names), so using an interface policy might still have been a workable way to go here. That' s one of the great things about the Fortigate. . .the CLI is complex enough that it gives you the freedom to come up with multiple solutions.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
PCNSE
NSE
StrongSwan
config system interface edit " wan1" set allowaccess ping next end config firewall local-in-policy edit 1 set intf " wan1" set srcaddr " MonitorGroup1" set dstaddr " all" set action accept set service " PING" set schedule " always" next edit 2 set intf " wan1" set srcaddr " all" set dstaddr " all" set service " PING" set schedule " always" next endThe second policy has an implied/default deny action, so it does not show. Thanks again.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Now that I know what you were after I know you had to use local-in policies. They control traffic to and from the FGT itself, whereas interface and regular policies control traffic through the fortigate.Ede, Thank you. I think that' s the best description of local-in policies I' ve read. Since my ping setup is now working with local-in policies, I don' t want to try tinkering with interface policies on my live box. But if you test, please let me know :)
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.