Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sandeep_fgt
New Contributor III

Local traffic - ICMP workaround

Hi Guys,

There was a weird situation where I applied a workaround to fix for now. Just wanted to know if there is any other good solution I can deploy in my environment.

 

Issue: Users were unable to ping the default gateway (setup on Fortigate) though the interface had PING enabled. After analyzing the logs, I found that the FG was dropping off the packet considering it to be high threat. The issue seems to be the admin profile I had setup on the device. There were only 2 subnets which were defined as protected subnet. I guess the issue was the Fortigate considering only the management traffic trusted only from the defined protected subnet and rest all as untrusted, so it was dropping packets for untrsuted network even when they were connected directly to the Fortigate. 

 

Workaround: I created a test profile with no access and applied it on a test user profile. After this, the FG interface started responding.

 

So, just wanted to know if there is any CLI command where I can defined PING to be allowed from any network for the PING enabled interface?

 

Thanks!

Sandeep Jha

 

12 REPLIES 12
ede_pfau
Esteemed Contributor III

Just tried it out. As in FortiOS v5.2.3, local-in policies cannot have an IPS sensor, actually no UTM at all.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

Okie Dokie

 

I was just checkin since I never seen IPS sensors being applied to  a local-in|out-policy. I figured  FTNT didn't deployed this as new feature either, so I want to be 100% sure or corrected.

 

If the  OP is worried about brute-force attacks against the fortigate unit directly his only options are  the TH or local-in policies.Typically imho the "TH" meets 90-100% of the security concerns and by adjustment of the failed login attempts  you can steer away 99% of the bad logins.

 

the following with a 3600sec lockout is very good for securing the ship;

 

FGTEQXNYC4010839467  (global) # show | grep admin     set admin-console-timeout 300     set admin-lockout-duration 3600     set admin-lockout-threshold 5     set admin-port 1443     set admin-scp enable     set admin-ssh-port 7822     set admintimeout 15  

 

ymmv

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Instead of enumerating single IP addresses or subnets which you want to block you may as well use Countries (at least in v5.2). This is a bit coarse but the lists are maintained by Fortinet.

I really don't connect ever to any fortigate from North Korea or Brazil. YMMV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors