- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internal Access Denied Despite Country-Based Restr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal Access Denied Despite Country-Based Restrictions
Dear Community,
I'm grappling with a FortiGate firewall configuration dilemma. I've set up a web server with country-based access restrictions, allowing only certain countries. While this works for external access, internal connections from the local network are being denied. Specifically, attempts from an internal IP (e.g., 192.168.0.50) to the server (e.g., 192.168.0.10) are blocked by the policy, configured with the source set to WAN and destination to LAN.
To resolve this, I'm contemplating adding the internal IP range to the list of allowed countries. Notably, the policy from internal to the internet has NAT enabled.
My question is whether including the entire internal IP range in the list of allowed countries is a advisable workaround, or if there's a more nuanced approach to facilitate internal access while preserving external restrictions.
I'd appreciate any insights or alternative suggestions from the community.
Thank you for your expertise.
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mair,
Thank you for reaching out. Internal private address range should not match a geoip address object as these private addresses cannot be routed and they are not be listed under any country. If you are performing hair pinning configuration where internal users behind the same firewall as the server have to go to the internet first before they reach the server using the vip address that might explain the issue. I would recommend troubleshooting the issue using debug flow and sniffer commands in different cli sessions:
# diag de reset
# di de flow filter addr x.x.x.x ---- dst address where traffic is blocked
# di de flow filter port <dst port if applicable>
# di de flow show function en
# di de flow trace start 10 ----- number of packets to be recorded
# di de console time en
# di de en
# di sniffer packet any "host x.x.x.x and port <dst port>" 4 0 l
Thank you,
saleha
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you very much for your fast reply!
2024-01-31 14:33:45.392701 internal in 192.168.0.53.61158 -> 80.x.x.x.443: syn 3802687125
2024-01-31 14:33:46.398426 internal in 192.168.0.53.61158 -> 80.x.x.x.443: syn 3802687125
2024-01-31 14:33:47.415662 internal in 192.168.0.53.61158 -> 80.x.x.x.443: syn 3802687125
2024-01-31 14:33:48.465657 internal in 192.168.0.53.61158 -> 80.x.x.x.443: syn 3802687125
2024-01-31 14:33:49.410174 internal in 192.168.0.53.61158 -> 80.x.x.x.443: syn 3802687125
this is what i get when i try to access the site. (note that i masked the public IP's)
As you mentioned, the clients are behind the same port as the server is. Most clients access the server using DNS, therefore with a public IP. They try to go to the internet, but never exit through the WAN. When i enable the log for the server's policy, i can see that the request is denied. The source is a local IP and this does not match the source (country, i.e. public IP) of the policy. As already said, when I add the local IP range to the source of the policy, i have access. But adding the local IP range to a policy from WAN seems like a dirty hack.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Mair,
Based on your description, you can configure hairpin NAT. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448
Regards,
Related Posts
- How to create 1 Wan with... 190 Views
- FortiGate diag log test question 114 Views
- Internet Service Database Policy Placement 92 Views
- How how can I limit the... 262 Views
- Captive portal issue - fails to... 184 Views
Labels
-
FortiGate
6,718 -
FortiClient
1,337 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
342 -
FortiClient EMS
273 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
71 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiInsight
3 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.