Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jlax
New Contributor

Block external ip's from reaching VPN ports

Hi!

Fortigate 60D with 5.6.7

 

I have a some malicious attempts to connect to VPN/IPSec and I would like these ip addresses blocked before reaching ports 500 and 4500.

How can I block/deny certain ip addresses? I have tried Local-In policy but it does not seem to have an affect when I try myself from an external host. Is Local-In policy able to block like I want and is config correct (see attched photo)?

 

Thanks!

 

Regards

Jlax

3 REPLIES 3
ede_pfau
SuperUser
SuperUser

That's what I do, and it does have an effect:

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "VPN_origin_countries"
        set dstaddr "all"
        set action accept
        set service "IKE"
        set schedule "always"
    next
    edit 2
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "IKE"
        set schedule "always"
    next
end
It uses whitelisting which is easier for me as I don't have to collect bad addresses in the first place. Be sure to deny-all (policy2) one specific service only, or you will lose remote access etc.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jlax
New Contributor

If I do a whitelist instead then I have to populate ip's from all Forticlient users?

Thanks again!

jlax
New Contributor

I have tried your whitelist and it sure works. I might use that :)

 

Thanks!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors