current F 90D version is 6.0.9 build0335, this FW works as UTM, wan primary ip is private and secondary ip is the public routed throughout the private ip to reach internet, all filters to current public ip (set as secondary) are enabled to allow only from our network and if no allow rule is enabled by default all sessions to Fortigate Iitself should be dropped ( but some how icmp is still available from everywhere) . Following is debug output:
2024-05-10 15:19:10 id=20085 trace_id=58 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=1, xxxPublicIcmpSourceIp:6164->xxxPublicWanIpxxx:2048) from wanvlanxxx. type=8, code=0, id=6164, seq=1."
2024-05-10 15:19:10 id=20085 trace_id=58 func=init_ip_session_common line=5619 msg="allocate a new session-00767dad"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_dnat_check line=4921 msg="in-[wanvlanxxx], out-[]"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_dnat_tree_check line=812 msg="len=0"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_dnat_check line=4934 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-05-10 15:19:10 id=20085 trace_id=58 func=vf_ip4_route_input line=1604 msg="find a route: flags=80000000 gw-xxxWanPublicIPxxx via root"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_in_check line=423 msg="in-[wanvlanxxx], out-[], skb_flags-00800000, vid-0"
2024-05-10 15:19:10 id=20085 trace_id=58 func=__iprope_check line=1989 msg="gnum-100011, check-f8af5940"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_policy_group_check line=4333 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-05-10 15:19:10 id=20085 trace_id=58 func=__iprope_check line=1989 msg="gnum-100001, check-f8af50f8"
2024-05-10 15:19:10 id=20085 trace_id=58 func=iprope_policy_group_check line=4333 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-05-10 15:19:10 id=20085 trace_id=58 func=__iprope_check line=1989 msg="gnum-10000e, check-f8af50f8"
2024-05-10 15:19:10 id=20085 trace_id=58 func=__iprope_check_one_policy line=1747 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
10 15:11:45 id=20085 trace_id=56 func=__iprope_check_one_policy line=1747 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2024-05-10 15:11:45 id=20085 trace_id=56 func=__iprope_check_one_policy line=1960 msg="policy-4294967295 is matched, act-accept"
2024-05-10 15:11:45 id=20085 trace_id=56 func=__iprope_check line=2008 msg="gnum-10000f check result: ret-matched, act-accept, flag-00000000, flag2-00000000"
2024-05-10 15:11:45 id=20085 trace_id=56 func=iprope_policy_group_check line=4333 msg="after check: ret-matched, act-accept, flag-00000000, flag2-00000000"
2024-05-10 15:11:45 id=20085 trace_id=57 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=1, xxxPublicSecondaryIpxxx:31976->xxxIcmpTestSource:0) from local. type=0, code=0, id=31976, seq=1."
2024-05-10 15:11:45 id=20085 trace_id=57 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-007678c3, reply direction"
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Traffic that is destined to FortiGate itself is not managed by firewall policies, but by local-in-policies.
So you can create a local-in-policy to allow specific sources to ping your FortiGate.
E.g.:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "g-allowed-group"
set srcaddr-negate enable
set dstaddr "all"
set service "PING"
set schedule "always"
next
end
Ref:
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy
If I'm not wrong this debug log shows a ping from outside to your WAN interface.
If I understand your concern you want your FG not to reply to external echo requests, right? Then you just need to disable "Ping" on your WAN interface. Or did I misunderstand your concern?
Hi @salassilvaj,
Please refer to the admin guide to disable ping on wanvlanxxx interface. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/909236/configuring-administrative-access...
Regards,
Really preciated, I need to allow only some icmp source, i.e. my monitor network, and closed to everyone else, I cant identify which rule is the proper one to block
Traffic that is destined to FortiGate itself is not managed by firewall policies, but by local-in-policies.
So you can create a local-in-policy to allow specific sources to ping your FortiGate.
E.g.:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "g-allowed-group"
set srcaddr-negate enable
set dstaddr "all"
set service "PING"
set schedule "always"
next
end
Ref:
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy
Thanks a lot, but, just a doubt, how is considered the priority between local-in policy and management interface trusted hosts? if the ip is blocked through local-in policy but allowed inside trusted host ?
Well I didn't test it, but if my understanding of FG logic is not wrong, if local-in-policy blocks a management traffic that is allowed by trusted hosts, then the traffic is blocked. While if local-in-policy allows a management traffic that is blocked by trusted hosts, then the traffic is blocked as well. A double-check is always good.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.