Hello,
how can one aggregate many IKEv1 and IKEv2 dial-in peers in one Firewall policy ruleset?
I have approx. 80 IPSec dial-in tunnels defined. Each of which would need an own firewall rule to access the IP-Pool "IPSecClient_IP-range" which is dedicated to IKE-Config mode. See sample below:
config firewall policy
edit NN
set name "IPSec Client"
set uuid 3da34a02-nnn-nnn-8f09-f6ef3d7ennnn
set srcintf "IPSec Tunnel Client"
set dstintf "INTRANET"
set action accept
set srcaddr "IPSecClient_IP-range"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Is there an opportunity to create such a rule for a number of IPSec clients?
Or do You have an idea to bulk create the necessary rulesets?
best regards
Martin Haneke
Solved! Go to Solution.
Hello Martin,
If you want to add multiple source interfaces in the policy then you can use following:
Hi, Martin!
To combine multiple IKEv1 and IKEv2 peer networks into a single set of firewall policy rules, you can use address or object groups in your firewall. Instead of creating a separate rule for each IPSec remote access tunnel, you can create one general rule and define an address or object group that includes IP pools for all IPSec clients.
Wouldn't a zone work for this purpose as well?
Toshi
Uh-oh, just be aware that "multiple interface policy" is opening Pandora's box if you are not very, very careful.
Imagine you allow this, and create an access policy to some internal resource.
Now, months later, you create an additional VPN. Traffic from this (unrelated) interface will automatically be included in this policy. This is called a side-effect, with potential to create a security breach.
Besides, you will lose the "interface pair" view in the policy table. Annoying at first, troublesome when the table grows later.
Try to go with a zone, a container for interfaces which can only be used in policies. That should do the trick.
Besides, I think you could set up your dial-in VPN such that many users could share the same VPN. Issue a unique PSK and username to each user, and differentiate access rules by adding user groups in the policies. Who wants to handle 80 dial-in VPNs?
Thank You for the explanation. Then I have to keep that configuration until we change everyone to FortiClient. Otherwise we would have to change the configuration on every of these 3rd-party software clients.
best regards
Martin Haneke
I didn't know. We put both static and dynamic IPsecs into one zone to have just one set of policies for many tunnels. But the fact is we don't have any dialup among them.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.