Dear All,
I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses.
Here's what I did.
config firewall policy
edit 4
set uuid 10be693f-5610-45a9-bebc-c27bd394177f
set srcintf "any"
set dstintf "any"
set srcaddr "group-blacklist"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
I have put the policy on top of the list. However, when I tried accessing my FW from blocked IP address, it still can go through and no traffic were recorded to the policy log. Am I missing any steps or is there any other way? Thank you guys.
Fortigate 60D
v5.2.6,build711 (GA)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is not about VIPs but administrative access to the FGT, right?
You can do 2 different things:
1- only allow certain public IPs to access the FGT (white listing) - go to System>Admin>myadmin>TrustedHosts
2- create a local-in policy which uses a predefined custom address group as source address(es). Local-in policies are only managed in the CLI.
You need to do the "set action deny".
And try to specify the source and destination-interface, that's best practice.
I did set the action to deny. In my case, I want to block external IP addresses from accessing my WAN interface. How do I set the source interface and destination interface? Is there an access control list to do that or am I missing anything? Thanks.
Hi
I had the same problem v5.2.6 , in the end the fix was not to set the dstaddr to all but to specify each of the VIPS. Once I did that the external IP address was blocked and I could see the entries in the log
Hope that helps
Ian
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
This is not about VIPs but administrative access to the FGT, right?
You can do 2 different things:
1- only allow certain public IPs to access the FGT (white listing) - go to System>Admin>myadmin>TrustedHosts
2- create a local-in policy which uses a predefined custom address group as source address(es). Local-in policies are only managed in the CLI.
What is the best way to block an external IP trying to connect to services like IKE ?
I tried to create the following policy with no luck! :
Incoming interface WAN1
Outgoing interface? (IPSEC_VPN or Internal, or ....?) tried both
Source IP address: is set to mach the range of IP that I want to block
Destination addres : is set to all
Service: all
Sechule: always
Action: Deny
The policy is placed at the very top
Also I tried to config the Local-In_policy as follows
Edit 1
set intf WAN1set srcaddr <Group_of_blocked_addresses>set dstaddr <All>set service <IKE>set schedule <Always>
I tried to set the action to deny but it wont accept it!
Any ideas how this is accomplished!! I came from Juniper and denying external IP's was not a project!
Forgot to mention that I limited access to the device by setting the trusted sources to my internal IPs in the admin section to enhance the device security.
Thank you
Hi,
Did you find a solution to this problem? I have the same issue i can understand what is the reason
Thank you
@SamH, local-in policy is the way to go for blocking access to the FGT itself from specific IPs. Are you sure the FGT didn't allow you to set action to deny? Did it give you an error? Remember that local-in policy action is "deny" by default, so since running a show command won't display any default values it wouldn't show up. What does "show full" give you for the local-in policy?
Also, assuming the issue is these specific IPs trying to access the FGT's wan ports, do you need to have admin access on the wan ports? Unless you really need it, your wan interfaces should have all administrative access turned off. And if you do need it, as ede_pfau suggested, it's best to only allow specific trusted hosts.
Since yesterday that i applied the local-in-policy as suggested it worked and for me at least the device allow me to set the action to deny with out any problems.
Thank you
I did try the Local-in policy but it did not allow me to set the action to deny !!!
Any thoughts?
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.