Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiMax_it
Contributor

Local-in-policy and log

Hi, I have a Fortigate 60E firmware 7.4.1
I have a public subnet that very often tries to connect via IPSEC VPN to the firewall. I therefore created a local-in-policy to deny the connection to this subnet, but I continue to see the logs and I also receive emails from an automation that notifies me of unsuccessful VPN connections.
Shouldn't the local-in-policy block the source connection so it doesn't even create the log?
The firewall navigates with a public IP directly on its WAN.

 

 

 edit "Attempt_ipsec_167.0.0.0"
        set uuid 006d9cf8-500d-51ee-cdb6-363058ded725
        set subnet 167.0.0.0 255.0.0.0
config firewall local-in-policy
    edit 1
        set uuid d69d2fdc-500d-51ee-9cb8-ff27447660f2
        set intf "WAN-Fibra"
        set srcaddr "Attempt_ipsec_167.0.0.0"
        set dstaddr "all"
        set service "IKE" "ALL_ICMP" "VPN_SSL_9443"
        set schedule "always"

 

 

 
IKE.jpg

 

log__.jpg

14 REPLIES 14
Toshi_Esumi
Esteemed Contributor III

What is your FGT model? I'm curious.

 

Toshi

Toshi_Esumi
Esteemed Contributor III

Oh, you said 60E. Of course it's not supported. Has to be at least NP6.

FortiMax_it

Version: FortiGate-60E v7.4.1,build2463,230830 (GA.F)

FortiMax_it

Unfortunately the ACLs that Fortigate supports didn't help me. Let's see if Fortinet will read my post and be able to explain how to do it. Thanks for now!

 

Message meets Alert condition

date=2023-09-23 time=02:11:34 devname=FGT60EXXXX devid=FGT60EXXXXXX eventtime=1695427894523057105 tz="+0200" logid="0101037131" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=167.248.133.175 locip=XX.XX.XX.XX remport=4500 locport=500 outintf="ppp2" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="4d658221" seq="07fcfd52" fctuid="N/A" advpnsc=0

 

Toshi_Esumi
Esteemed Contributor III

The access-list you configured under "config router access-list" can be used only for routing protocols like BGP to filter advertising/advertised routes.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

It's not ACL to block traffic.

 

Toshi

Labels
Top Kudoed Authors