Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiMax_it
Contributor

Created on ‎09-22-2023 12:10 PM

Local-in-policy and log

Hi, I have a Fortigate 60E firmware 7.4.1
I have a public subnet that very often tries to connect via IPSEC VPN to the firewall. I therefore created a local-in-policy to deny the connection to this subnet, but I continue to see the logs and I also receive emails from an automation that notifies me of unsuccessful VPN connections.
Shouldn't the local-in-policy block the source connection so it doesn't even create the log?
The firewall navigates with a public IP directly on its WAN.

 

 

 edit "Attempt_ipsec_167.0.0.0"
        set uuid 006d9cf8-500d-51ee-cdb6-363058ded725
        set subnet 167.0.0.0 255.0.0.0
config firewall local-in-policy
    edit 1
        set uuid d69d2fdc-500d-51ee-9cb8-ff27447660f2
        set intf "WAN-Fibra"
        set srcaddr "Attempt_ipsec_167.0.0.0"
        set dstaddr "all"
        set service "IKE" "ALL_ICMP" "VPN_SSL_9443"
        set schedule "always"

 

 

 
IKE.jpg

 

log__.jpg

Labels:
2053
0 Kudos
14 REPLIES 14
anignan
Staff
Staff

Created on ‎09-22-2023 12:15 PM Edited on ‎09-22-2023 12:22 PM

Hi @FortiMax_it 

Can you confirm that your IKE service is UDP 500? Yes local-in should block it

Abdel

1347
FortiMax_it
Contributor
In response to anignan

Created on ‎09-22-2023 12:29 PM

Hi Abdel, thanks for the reply but what you tell me I think is more of a workaround because if I have a local-in-policy that blocks IPSEC traffic, why is the log created in the VPN events section?
If traffic is blocked on the WAN interface it must not be processed by the CPU. As you can see it is as if the package has been processed. It should be discarded directly.

 

event.png

1341
0 Kudos
anignan
Staff
Staff
In response to FortiMax_it

Created on ‎09-22-2023 12:31 PM

Exactly theoretically it should not hit the ike daemon.. Let me try to replicate this in my lab

 

Abdel

1339
anignan
Staff
Staff

Created on ‎09-22-2023 12:48 PM

HI @FortiMax_it 

 

This seems to be an expected behavior because this is not a proposal received from remote peer but an ESP packet with incorrect SPI... This packet is being dropped before local-in-policy by the kernel and iked logs it..

 

Is you FortiGate support acl? check with the command show router access-list

 

Abdel

1332
FortiMax_it
Contributor
In response to anignan

Created on ‎09-22-2023 12:51 PM

Hi,
does it support ACLs, yes.
ACL.png

1328
0 Kudos
anignan
Staff
Staff
In response to FortiMax_it

Created on ‎09-22-2023 12:53 PM

Hi @FortiMax_it 

 

Try to use ACL this may help in your case..

 

Abdel

1325
0 Kudos
FortiMax_it
Contributor
In response to anignan

Created on ‎09-22-2023 01:17 PM

I tried to create it, I've almost never used them, I hope I did it right (I'm not sure whether I should put deny or permit in the access list as the route map is already in deny) :D
I'll keep you updated

 

route.png

1312
0 Kudos
anignan
Staff
Staff
In response to FortiMax_it

Created on ‎09-22-2023 01:23 PM

Hi @FortiMax_it 

 

No sorry my bad this should be place under config firewall acl...

 

REF: https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/898126/access-control-lists

 

Abdel

 

1307
0 Kudos
FortiMax_it
Contributor
In response to anignan

Created on ‎09-22-2023 01:30 PM

Not supported :(

 

config firewall acl

command parse error before 'acl'
Command fail. Return code 1

Let's see if the access list I created still works in some way... I'll keep you updated

 

1302
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.