Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Local in policy for BGP in regards to AWS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local in policy for BGP in regards to AWS
Hi all,
We have local-in policy to allow all for bgp. I know we can set local-in policy to disable port 179 as follows:
config firewall local-in-policy
edit 1
set intf wan1
set scraddr all
set dstaddr all
set action deny
set service BGP
set schedule always
end
I have a couple of questions. I am coming from PA deployed in a very small office, so sorry if sound bit silly.
1. How to know if I change config in 'edit 1', I am not changing any other policy already there.
2. We have VPN with AWS going from WAN1. The inside tunnel address configured in VPN is used for BGP. AWS config here uses BGP(inside tunnel IP) for VPN to work. If I apply above local-in policy will it not affect VPN tunnel between fortigate and AWS.
We are using Fortigate version 6.4.0
Thanks.
Mudasir Malik
Mudasir Malik
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you mean with No.1 "How to know...". You just need to change in "edit 1" then hit "next" (not "end"), and then "show" to check the result of your change. Or even before hitting "next", you can do "show".
BGP over the tunnel goes through the tunnel interface, which is automatically created when you configured the phase1-interface. Not over wan1 interface. So your deny statement in the local-in-policy wouldn't apply to the BGP with AWS. By default, BGP is allowed all interfaces including those tunnel/logical interfaces.
Toshi
Created on 01-19-2022 04:29 AM Edited on 01-19-2022 04:33 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot Toshi.
I was wondering to check if something is already configured at 'edit 1'. Although, I ran through running-config and don't see any local-in policy at all but in GUI, I can see we have many local-in policies.
i was just curious as I know when I was working with ASA, you have specific command that will not apply any firewall policy on tunnel interface. looks like there is none in fortigate and tunnel inside IP is not considered on WAN interface. I will try to disable all bgp traffic for WAN port next week and see how it goes.
I guess to revert back I donot delete edit 1 instead change it to
config firewall local-in-policy
edit 1
set intf wan1
set scraddr all
set dstaddr all
set action allow
set service BGP
set schedule always
end
or do you think deleting edit 1 is the best way.
Thanks a lot
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I said by default BGP is allowed on any interfaces. An "allow" local-in-policy is only meaningful when it's placed before a "larger" deny policy, so that it's allowed only with the condition while most of, if not all, others are denied.
Your case, nothing would be different for the behavior of the FGT. I would simply remove it and start from scratch to avoid future confusion or cluttering.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case someone is looking for an answer. Applied local-in-policy and it did not impact the tunnel. The only issue was that we never had BGP, so we had to create a new Service for BGP by going into Policy&Objects -> Services as without doing this you will not be able to run 'set service BGP' command.
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP should be in pre-configured services like DNS, OSPF, RIP, SNMP, etc. by default. Also you don't need any policy to terminate BGP at the IPsec interface. Only if you terminate it at a loopback interface or other internal interfaces, you need to have a set of policies for BGP to come/go out of the inside interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was on support with fortinet guys and the fortinet tech, who was really good at his work and he created BGP service. This also confused him a bit in start that we had BGP configured for local-in-policy(GUI). I had to call support as 'set service BGP' did not work due to BGP not available. So, the tech guy created a new BGP service. Then, I was able to enter command 'set service BGP'
As stated earlier, BGP is used in conjuction with AWS and I was just worried if BGP running inside tunnel will not be impacted. Anyways, my main question got answered this morning when applying above config did not cause any issue to tunnel.
Sorry, I am not sure what do you mean by terminate(I have never seen this term, may be my knowledge is limited:)), I never know that BGP has an end point. Yes there are two things in Fortigate. One is security policy and other is local-in policy. Both will perform different functions. One will allow to pass traffic through interface and reject later by policy while the later will reject any inbound traffic(local-in).
Mudasir Malik
Mudasir Malik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already forgot about what you were specifically working on and thought you added a policy with BGP in FW policy. Sorry about my confusion.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- IPSEC - ONE WAY PING 137 Views
- ForticlientVPN - Permission denied (-455) 115 Views
- FortiAP-231G intermittently goes offline. 72 Views
- Forticlient EMS Cloud a reliability/stability and... 67 Views
- Have any documents there that describe... 73 Views
Labels
-
FortiGate
8,360 -
FortiClient
1,692 -
5.2
801 -
FortiManager
705 -
5.4
639 -
FortiAnalyzer
535 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
194 -
IPsec
177 -
FortiNAC
171 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiPAM
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.