Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block suspicious vpn ip address
Hi guys,
I' m new to this forum and therefore: hello to everybody!
I' m a bit confused right now and wonder if I could pick your brains?
I recognized that somebody is trying to establish an ipsec-vpn connection to our Fortigate. We don' t know who it is and I want to block it. Of course the connection doesn' t work because there is no configuration for that.
But how can I block this suspicious ip address? I think it' s not possible to configure this with a policy.
Can you please help me out with that?
Thanks a lot!
Vanessa
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can look at a local firewall policy. I guess you see ike 500/udp requests coming in? I wouldn' t worry about personally. It could be someone has made a typo. Heck I ' ve done this a few times.
either way a policy similar to this should work.
config firewall local-in-policy
edit 1
set intf " wan1"
set srcaddr " x.x.x.x"
set dstaddr " y.y.y.y"
set service " IKE"
set schedule " always"
next
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why you did not set the action to deny ?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums. (Ken, manners! In a hurry?)
Local-In policies were only introduced in FortiOS v5. If you are going down this path you might as well define the service as " ALL" (or is it " any" now?) and not bother much about the actual destination port. Unless you know the other side, that is.
And I agree that I would block these attempts as well if they are numerous enough. Setting up IPsec negotiations not only clobber the logs but take up ressources of the FGT as well.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local-In policies were only introduced in FortiOS v5
Ede, are you sure about the above? I' ve seen local-policies support in 4.0 MR3p18 but never deployed them as of yet.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I stand corrected - I' m running 4.3.17 and they are indeed included but CLI-only. I' ve never thought of looking for it though.
And thanks for the hint that 4.3.18 has been published, only 3 weeks after 4.3.17. Nice they keep me busy lately with updates...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanky you, emnoc.
This is exactly what I was looking for. I have tried it and it works fine!
Vanessa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, sorry, I missed the other posts. Well, the local-in-policy works for us.
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I stand corrected - I' m running 4.3.17 and they are indeed included but CLI-only. I' ve never thought of looking for it though. And thanks for the hint that 4.3.18 has been published, only 3 weeks after 4.3.17. Nice they keep me busy lately with updates...No thank selective, he hinted to me p18 was out about a 2week ago. I never bother to look for any thing else in that major release & thought fortinet was terminating any new builds under that tree. Vanessa, yes the local-policy should work for you. Just give it a try and see where it leads and if it fixes the problem for you.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the same thing as Vanessa's but when setting up the local-policy, it doesn't accept the action 'block'
Any idea why
Thank you