Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tungnx59
New Contributor II

Created on ‎10-03-2024 11:19 PM

Fortigate: Local-in-policy block Access from internet and others connection

Dear All, 

 

I have a fortigate is facing to internet, it has public IP: a.a.a.a , port : wan 1

I have IPSEC tunnel to another site using WAN 1 port also, and I have Fortimanager manage Fortigate use WAN 1 also.

 

I want to use Local-in-policy to block unknown Pulbic IP  access to my fortigate via WAN 1 IP Address

 

My question is: If I apply the local -in-policy on WAN 1, my IPSEC tunnel and Fortimanager can connect to my Fortigate ?

 

Thanks !

Labels:
971
0 Kudos
4 REPLIES 4
bkrishnan
Staff
Staff

Created on ‎10-03-2024 11:31 PM

Hello
Please configure a address group that excludes legitimate IPs (IPSec Peer ISP and Fortimanager) and create a Local-in-Policy to block all the other traffic
Please follow the below articles;
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/201046/blocking-unwanted-ike-negotiatio...

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

962
tungnx59
New Contributor II
In response to bkrishnan

Created on ‎10-04-2024 01:14 AM

it mean, if I only apply Local-in-policy for Trusthost  limit access HTTPS, then my fortigate can not access Fortimanager and IPSEC also , right ?

I need more policy to allow ipsec connection and Fortimanager , right ?

913
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tungnx59

Created on ‎10-04-2024 08:43 AM Edited on ‎10-04-2024 08:44 AM

If you don't set any local-in-policy, which is the default, everything to all interfaces are allowed.
If you want to just block random HTTPS accesses to the wan1 interface, you need to allow your specific sources in the first policy only for HTTPS, then deny any other sources (any) only for HTTPS. FMG uses TCP 541 but that would not be blocked because above policies are only for HTTPS.

However if you don't use the wan1 interface for your own admin access, you can just uncheck (or allowaccess in CLI) HTTPS at the wan1 interface config GUI.
Trusthost would work in different way. It's per admin user. You probably know that already.

Toshi

862
0 Kudos
Atul_S
Staff
Staff

Created on ‎10-03-2024 11:38 PM

Hi,

 

You may consider creating two local rules. The first local allow rule on the top where you mention your src add for all trusted IP addresses(best to create an address group for this) and allow services like https, ssh, ping, FMG-Access and IPsec. After that, you can create a second local in rule blocking all IP addresses as source.

 

Thanks,

Atul Srivastava
952
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.