Dear All,
I have a fortigate is facing to internet, it has public IP: a.a.a.a , port : wan 1
I have IPSEC tunnel to another site using WAN 1 port also, and I have Fortimanager manage Fortigate use WAN 1 also.
I want to use Local-in-policy to block unknown Pulbic IP access to my fortigate via WAN 1 IP Address
My question is: If I apply the local -in-policy on WAN 1, my IPSEC tunnel and Fortimanager can connect to my Fortigate ?
Thanks !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Please configure a address group that excludes legitimate IPs (IPSec Peer ISP and Fortimanager) and create a Local-in-Policy to block all the other traffic
Please follow the below articles;
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/201046/blocking-unwanted-ike-negotiatio...
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy
it mean, if I only apply Local-in-policy for Trusthost limit access HTTPS, then my fortigate can not access Fortimanager and IPSEC also , right ?
I need more policy to allow ipsec connection and Fortimanager , right ?
Created on 10-04-2024 08:43 AM Edited on 10-04-2024 08:44 AM
If you don't set any local-in-policy, which is the default, everything to all interfaces are allowed.
If you want to just block random HTTPS accesses to the wan1 interface, you need to allow your specific sources in the first policy only for HTTPS, then deny any other sources (any) only for HTTPS. FMG uses TCP 541 but that would not be blocked because above policies are only for HTTPS.
However if you don't use the wan1 interface for your own admin access, you can just uncheck (or allowaccess in CLI) HTTPS at the wan1 interface config GUI.
Trusthost would work in different way. It's per admin user. You probably know that already.
Toshi
Hi,
You may consider creating two local rules. The first local allow rule on the top where you mention your src add for all trusted IP addresses(best to create an address group for this) and allow services like https, ssh, ping, FMG-Access and IPsec. After that, you can create a second local in rule blocking all IP addresses as source.
Thanks,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.