Hi All,
I am little confused between the role of administrative access and local-in policy, aren't they do the same function ? administrative access can be enabled by using the interface level command "set allow-access" and we can only allow few protocols to access the FGT interface, I know there is a huge list of protocols available in firewall local policy but aren't these protocols are already blocked and only those allowed which are configured by set allow-access command, I tested this with my FGT firewall with main IP by using different ports
telnet 1.1.1.1 514
telnet 1.1.1.1 179
and each time it shows this error "Could not open connection to the host, on port 514: Connect failed" and I didn't configure any local policy so my question is that after all what is the benefit of configuring the local policy when we have administrative access or what is the difference between the local policy or administrative access ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Basically the administrative access to to get the firewall access using the https/http, ssh, ping, telnet.
General administrative access refers to the overall access and permissions granted to administrators for managing the FortiGate device.
Whereas the local in policy is to control inbound traffic to the firewall(to the firewall traffic).
Functionality of the local in policy is they allow administrators to granularly define the source and destination addresses, interface, services, and actions for inbound traffic.
when you telnet with a udp port, it will not work.
And the firewall will not listen to the port 514 until you made some config.
Refer this article:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy
And, GUI "Administrative Access" config is under each specific interface, only limited to admin access. This feature is, I'm guessing, almost from the inception of FortiGate product 20+ years ago.
Local-in-policy is relatively new because of needs blocking all other hack attempts/attacks against the FGT, including random IPSec VPN attempts (UDP 500/4500) for multiple incoming ports or "any" ports. It's more flexible, therefore more advanced. And can't be configured in GUI now.
But I don't see the GUI Admin Access would go away in the future, because this is the very basic of access protection any beginners of FGT can easily set up.
Toshi
Hi @usmansa1 ,
Administrative access allows you to configure general protocol specific access to fortigate over specific interface.
However, Local-in policy allows you to control it with more granularity. For example, you can configure local-in policy to allow the fortigate access only from specific public IP address / only from specific countries.
Local-in policy allows you to control communication for all the services/ ports, while administrative access only refers to specific protocols and ports (like HTTPS,HTTP,SSH etc.)
Regards,
Ankit
Hi Guys, today i tested this firewall policy with my internal setup, I connected this FGT with router and then configured BGP and it worked fine, FGT port 1 is connected with the router, this FGT is VM 7.0.10 and with trial licence. Now I configured the firewall policy as mentioned below:-
FGT-A # show firewall local-in-policy
config firewall local-in-policy
edit 10
set uuid dc0fe2ce-6764-51ef-526e-a286c22960b2
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "BGP"
set schedule "always"
set action deny
next
#
Technically after the above policy the BGP peering should dropped or should not be formed after the interface reset but this didnt happen although the BGP neighborship was reset when i configured that policy but BGP neighbor went up again, is there anything I am missing
Hello
Please verify the service BGP configuration
config firewall service custom
edit "BGP"
set tcp-portrange 179
next
end
Refer to the following document
Created on 08-31-2024 05:12 PM Edited on 08-31-2024 05:34 PM
Hi Shashwati,
thanks for response, this seems to be already enabled
edit "BGP"
set proxy disable
set category "Network Services"
set protocol TCP/UDP/SCTP
set helper auto
set check-reset-range default
set comment ''
set color 0
set visibility enable
set fabric-object disable
set iprange 0.0.0.0
set fqdn ''
set tcp-portrange 179
unset udp-portrange
unset sctp-portrange
set tcp-halfclose-timer 0
set tcp-halfopen-timer 0
set tcp-timewait-timer 0
set tcp-rst-timer 0
set udp-idle-timer 0
set session-ttl 0
next
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.