Hello,
We recently set up a Fortigate 6.2.5 device and set up IPsec VPN for external access for our co-workers.
Now, I would like to block all incoming external traffic (or at least restrict ports and so on), but I could not figure out what interface should I add the rules to.
I have tried adding some restrictions to WAN1 (incoming interface) > Internal (outgoing interface) but it does not seem to work, blocking rules are ignored, and no traffic goes through in the new rules.
In our previous router (from a different brand), I could simply apply a rule to the WAN1 interface, and that's all. What incoming/outgoing interface should be set to restrict the incoming external traffic?
Thank you for any help!
Solved! Go to Solution.
hi,
I have difficulties in understanding your question.
Policies control the traffic between pairs of interfaces, or rather, the networks attached to the interfaces. The WAN is one, and your LAN is another network. Per default, no traffic at all is allowed between networks ("whitelisting" model). If you want to allow some traffic, write a policy for the interface pair involved.
For example, you want to allow traffic from remote workers inbound to a LAN server. For IPsec VPN, the source interface is the dial-in VPN (the interface has the same name as the phase1); for SSLVPN, it's "SSL-VPN". The destination interface is "lan" or "port1", whatever you chose to use for this. Then you create address objects for the networks, or single server addresses (a.b.c.d/32), and specify the service(s) allowed. That's all.
Usually, you do not have direct access to internal networks from WAN. That's what VPN is for.
A totally different topic is how you would prevent WAN traffic from reaching the FGT itself. Sometimes, if the FGT is under constant attack, you exclude single addresses, or even countries, from accessing the FGT. This is done in Local policies. These can be useful, but are not really common in reality (YMMV).
hi,
I have difficulties in understanding your question.
Policies control the traffic between pairs of interfaces, or rather, the networks attached to the interfaces. The WAN is one, and your LAN is another network. Per default, no traffic at all is allowed between networks ("whitelisting" model). If you want to allow some traffic, write a policy for the interface pair involved.
For example, you want to allow traffic from remote workers inbound to a LAN server. For IPsec VPN, the source interface is the dial-in VPN (the interface has the same name as the phase1); for SSLVPN, it's "SSL-VPN". The destination interface is "lan" or "port1", whatever you chose to use for this. Then you create address objects for the networks, or single server addresses (a.b.c.d/32), and specify the service(s) allowed. That's all.
Usually, you do not have direct access to internal networks from WAN. That's what VPN is for.
A totally different topic is how you would prevent WAN traffic from reaching the FGT itself. Sometimes, if the FGT is under constant attack, you exclude single addresses, or even countries, from accessing the FGT. This is done in Local policies. These can be useful, but are not really common in reality (YMMV).
how about working with local in policy? pls see below link for reference.
Cookbook | FortiGate / FortiOS 6.2.10 | Fortinet Documentation Library
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1859 | |
1133 | |
769 | |
447 | |
263 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.