Hi all,
I have some doubts regarding local-in policies. I'll try to explain, maybe I'll add any further information if required.
I've created an address group with some ip addresses in order to prevent scanning and other not allowed requests. I've some firewall policies that deny to forward traffic from the banned group via wan to the internal interfaces and a local-in policy that block any action from the banned group:
config firewall policy edit 50 set name "WebServer-bannedIPs" set srcintf "virtual-wan-link" set dstintf "port2" set srcaddr "bannedips" set dstaddr "WebServer_http" "WebServer_https" set action deny set schedule "always" set service "ALL" set logtraffic all next
config firewall local-in-policy
edit 101 set intf "wan1" set srcaddr "bannedips" set dstaddr "all" set action deny set service "ALL" set schedule "always" set status enable next
Viewing logs, I can find banned ips that are blocked by the local-in policy (101) if they try to connect to unspecified ports, but if they try to connect to port 443 they match the firewall policy (50). I'll paste logs below:
date=2019-02-15 time=16:57:02 logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1550246222 srcip=bannedip srcport=59644 srcintf="wan1" srcintfrole="wan" dstip=externalip dstport=17070 dstintf="root" dstintfrole="undefined" sessionid=6047806 proto=6 action="deny" policyid=101 policytype="local-in-policy" service="tcp/17070" dstcountry="Italy" srccountry="Netherlands" trandisp="noop" app="tcp/17070" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
date=2019-02-15 time=05:03:23 devname=FG200 devid=FG200 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1550203402 srcip=bannedip srcport=50000 srcintf=wan1 srcintfrole="undefined" dstip=externalip dstport=443 dstintf="port2" dstintfrole="dmz" sessionid=4625888 proto=6 action="deny" policyid=50 policytype="policy" service="HTTPS" dstcountry="Italy" srccountry="United States" trandisp="dnat" tranip=internalip tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
Could you help me to understand how policy priority works, please? How can I match the local-in policy before the firewall policy?
Thanks in advance,
Tommaso
This is how I think it would work (somebody would correct me if wrong) based on below reference.
When a packet arrives at an interface it checks "through-traffic" regular policy first if the should be passed and go out through another interface. If not, check the "allowaccess" config on the interface then local-in policies (or as in the description those allowaccesses are merged with local-in policies).
So in your case, I think you need to use "access-list" instead, which is probably checked against before these policies.
I think what's happening wan1 probably has a VIP defined , OP is that true? Are "WebServer_http" "WebServer_https" VIPS
Ken Felix
PCNSE
NSE
StrongSwan
Thanks for replying, Ken. You're right, they are VIPs. Does it change anything?
Thanks Toshi,
but with access-list I'm only able to have a whitelist, am I? If you're right about local-in, these policies stand right above the deny all and below the firewall policies. I'm going to have some further tests.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1767 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.