Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
usmansa1
New Contributor II

Difference between firewall local-in policy and general administrative access

Hi All, 

 

I am little confused between the role of administrative access and local-in policy, aren't they do the same function ? administrative access can be enabled by using the interface level command "set allow-access" and we can only allow few protocols to access the FGT interface, I know there is a huge list of protocols available in firewall local policy but aren't these protocols are already blocked and only those allowed which are configured by set allow-access command, I tested this with my FGT firewall with main IP by using different ports 

 

telnet 1.1.1.1 514

telnet 1.1.1.1 179

 

and each time it shows this error "Could not open connection to the host, on port 514: Connect failed" and I didn't configure any local policy so my question is that after all what is the benefit of configuring the local policy when we have administrative access or what is the difference between the local policy or administrative access ?

 

7 REPLIES 7
Babitha_M
Staff
Staff

Hi,

Basically the administrative access to to get the firewall access using the https/http, ssh, ping, telnet.
General administrative access refers to the overall access and permissions granted to administrators for managing the FortiGate device.

Whereas the local in policy is to control inbound traffic to the firewall(to the firewall traffic).
Functionality of the local in policy is they allow administrators to granularly define the source and destination addresses, interface, services, and actions for inbound traffic.

when you telnet with a udp port, it will not work.
And the firewall will not listen to the port 514 until you made some config.


Refer this article:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy

 

Toshi_Esumi

And, GUI "Administrative Access" config is under each specific interface, only limited to admin access. This feature is, I'm guessing, almost from the inception of FortiGate product 20+ years ago. 
Local-in-policy is relatively new because of needs blocking all other hack attempts/attacks against the FGT, including random IPSec VPN attempts (UDP 500/4500) for multiple incoming ports or "any" ports. It's more flexible, therefore more advanced. And can't be configured in GUI now.
But I don't see the GUI Admin Access would go away in the future, because this is the very basic of access protection any beginners of FGT can easily set up.

Toshi

ap
Staff
Staff

Hi @usmansa1 ,

 

Administrative access allows you to configure general protocol specific access to fortigate over specific interface.

 

However, Local-in policy allows you to control it with more granularity. For example, you can configure local-in policy to allow the fortigate access only from specific public IP address / only from specific countries.

 

Local-in policy allows you to control communication for all the services/ ports, while administrative access only refers to specific protocols and ports (like HTTPS,HTTP,SSH etc.)

 

Regards,

Ankit

usmansa1
New Contributor II

Hi Guys, today i tested this firewall policy with my internal setup, I connected this FGT with router and then configured BGP and it worked fine, FGT port 1 is connected with the router, this FGT is VM 7.0.10 and with trial licence. Now I configured the firewall policy as mentioned below:- 

 

FGT-A # show firewall local-in-policy
config firewall local-in-policy
edit 10
set uuid dc0fe2ce-6764-51ef-526e-a286c22960b2
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "BGP"
set schedule "always"

set action deny

next

#

Technically after the above policy the BGP peering should dropped or should not be formed after the interface reset but this didnt happen although the BGP neighborship was reset when i configured that policy but BGP neighbor went up again, is there anything I am missing 

Shashwati
Staff
Staff

Hello 

Please verify the service BGP configuration

config firewall service custom

    edit "BGP"
        set tcp-portrange 179
    next
end

 

Refer to the following document 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-close-BGP-port-179-with-Local-in-po...

usmansa1
New Contributor II

Hi Shashwati, 

 

thanks for response, this seems to be already enabled 

usmansa1
New Contributor II

edit "BGP"
set proxy disable
set category "Network Services"
set protocol TCP/UDP/SCTP
set helper auto
set check-reset-range default
set comment ''
set color 0
set visibility enable
set fabric-object disable
set iprange 0.0.0.0
set fqdn ''
set tcp-portrange 179
unset udp-portrange
unset sctp-portrange
set tcp-halfclose-timer 0
set tcp-halfopen-timer 0
set tcp-timewait-timer 0
set tcp-rst-timer 0
set udp-idle-timer 0
set session-ttl 0
next

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors