Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vanessa6
New Contributor

Block suspicious vpn ip address

Hi guys, I' m new to this forum and therefore: hello to everybody! I' m a bit confused right now and wonder if I could pick your brains? I recognized that somebody is trying to establish an ipsec-vpn connection to our Fortigate. We don' t know who it is and I want to block it. Of course the connection doesn' t work because there is no configuration for that. But how can I block this suspicious ip address? I think it' s not possible to configure this with a policy. Can you please help me out with that? Thanks a lot! Vanessa
9 REPLIES 9
emnoc
Esteemed Contributor III

You can look at a local firewall policy. I guess you see ike 500/udp requests coming in? I wouldn' t worry about personally. It could be someone has made a typo. Heck I ' ve done this a few times. either way a policy similar to this should work. config firewall local-in-policy edit 1 set intf " wan1" set srcaddr " x.x.x.x" set dstaddr " y.y.y.y" set service " IKE" set schedule " always" next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CodeTron
New Contributor III

Why you did not set the action to deny ?

 

Thanks

 

ede_pfau
SuperUser
SuperUser

hi, and welcome to the forums. (Ken, manners! In a hurry?) Local-In policies were only introduced in FortiOS v5. If you are going down this path you might as well define the service as " ALL" (or is it " any" now?) and not bother much about the actual destination port. Unless you know the other side, that is. And I agree that I would block these attempts as well if they are numerous enough. Setting up IPsec negotiations not only clobber the logs but take up ressources of the FGT as well.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Local-In policies were only introduced in FortiOS v5 Ede, are you sure about the above? I' ve seen local-policies support in 4.0 MR3p18 but never deployed them as of yet.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

I stand corrected - I' m running 4.3.17 and they are indeed included but CLI-only. I' ve never thought of looking for it though. And thanks for the hint that 4.3.18 has been published, only 3 weeks after 4.3.17. Nice they keep me busy lately with updates...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Vanessa6
New Contributor

Thanky you, emnoc. This is exactly what I was looking for. I have tried it and it works fine! Vanessa
Vanessa6
New Contributor

Oh, sorry, I missed the other posts. Well, the local-in-policy works for us. Thank you.
emnoc
Esteemed Contributor III

I stand corrected - I' m running 4.3.17 and they are indeed included but CLI-only. I' ve never thought of looking for it though. And thanks for the hint that 4.3.18 has been published, only 3 weeks after 4.3.17. Nice they keep me busy lately with updates...
No thank selective, he hinted to me p18 was out about a 2week ago. I never bother to look for any thing else in that major release & thought fortinet was terminating any new builds under that tree. Vanessa, yes the local-policy should work for you. Just give it a try and see where it leads and if it fixes the problem for you.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CodeTron
New Contributor III

Hi,

 

I have the same thing as Vanessa's but when setting up the local-policy, it doesn't accept the action 'block'

Any idea why

 

Thank you

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors