Fortigate 200b Local-In policies

Agianna · ‎05-12-2016

Hi all,

A silly question..i don't work so much on Fortigate 200b and i have to do a work on it in these days :

I have to move a Network Interface from a port to another (just for info...port 13 to port 10)

I have checked all the settings related to the old port, and i have recreated them for the new one.

I have seen Under "Policy and Objects" that there is the menu "Local-In ", where the old port (port 13) has some settings related to DNS under "Networking and routing".

Question 1: Does this setting creates automatically when a new port is plugged or do i have to configure it?

Question 2: if answer to question 1 is Yes, how can i configure it on new port 10?

Thank you very much!

Alessandro

Jeff_FTNT · ‎05-12-2016

<<Question 1: Does this setting creates automatically when a new port is plugged or do i have to configure it?

Need configure it <<Question 2: if answer to question 1 is Yes, how can i configure it on new port 10?

For "Administrative Access " local policy, it set up on interface with " set allowaccess ping https ssh snmp http telnet" .

For you case, you may ignore others.

Agianna · ‎05-12-2016

Thank you for answering

In my case the "Administrative Access" local policy looks already configured for this port.

What is not configured is the part "Networking and Routing".

I mean: the "old" port is configurated to accept DNS, the "new port" is not configurated.

Questions are:

1) which is the way to configure this DNS policy?

2) what happens if point 1) is not configurated?

Thanks again

emnoc · ‎05-12-2016

How about copying out the configs for the old and ports new so we can see what your doing?

The same goes for the local-in policies?

You should really be able to show sys intterface port13 and then port10 and copy the cfg out and unset the old port and set the new port and be 90% done.

For the local-in those are policies for traffic specific to the self address of the Fortigate, so it's not 100% sure clear on what your filtering under local-in-policy.

PCNSE

NSE

StrongSwan

Agianna · ‎05-12-2016

it would be very nice, i have never used the command line: can you link a command reference?

At the moment i can give you a screenshot showing the local-in policy for DNS for port 13: i'd like to configure the same setting for port 10

thanks

Jeff_FTNT · ‎05-12-2016

If you want to do it on GUI, just go to GUI:System->Network->DNS servers .

This menu will show up if you enable it on GUI:System->Config->Features, thanks.

Agianna · ‎05-12-2016

jeff...no chance to do it from GUI, i have checked all possible options.

Can please anyone help me with this command?

config firewall local-in-policy

edit <policy_number> ...............how i see which is the number to assign to this new policy?

set intf <source_interface>................................my port is named "port 10 DMZ1_NEW"

set srcaddr <source_address>...............................i don't have a specific source IP

set dstaddr <destination_address>........................... i don't have a specific destination IP

set action {accept | deny}..................................easy: accept

set service <service name>........................here it should be easy: service name is only "DNS"

set schedule <schedule_name> ........is this setting necessary? i don't see any field related to the schedule in the GUI

end

thanks

Jeff_FTNT · ‎05-12-2016

Hi Agianna,

DNS policy on your FGT port13, it is a hidden local-in-policy, FGT create it with CLI:

config system dns-server edit "port14" set mode forward-only next end

Jeff_FTNT · ‎05-12-2016

DNS policy is set up at :

config system dns-server edit "port14" set mode forward-only next end

It will forward DNS request if it received on that PORT, thanks.

Fortigate 200b Local-In policies

Nominate a Forum Post for Knowledge Article Creation