Hello
We, as others, are trying to block certain repeat offender (countries) from attempting to and/or accessing our firewall.
We have a blocked-countries-group working with a deny all policy at the top of the list. I receive admin alerts and I get several login attempts with src IP belonging to countries from that group. Should that be happening? I thought having that policy in place would essentially result in any and all packets coming from the blocked countries to just be dropped
Any clarification or guidance is appreciated
Thx
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What you want to use is a Local-In policy for traffic directed at the Fortigate's front door.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hello Dave
Thank you for replying. I don't know that much about router configs etc. If you don't mind can you explain the following:
1- What exactly is the existing policy doing for us? (our fortigate was config'd and put in place by a vendor - we don't know enough to make changes and feel confident they are done correctly)
2-The local-in policy you mention, is that something that can be done via the gui?
3-what is the difference between what you suggest and what is in place?
Thx
The fgt has a number of "open" ports that it listens in on, including ports for administrative access. Local-in policies (for the most part) are meant to control (block or allow) this access.
Here is a script example:
config firewall address edit "China-Country" set type geography set associated-interface "wan1" set country "CN" next end
config firewall addrgrp edit "blocked-countries-group" set member "China-Country" next end
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "blocked-countries-group" set dstaddr "all" set service "ALL" set schedule "always" next end
(code snippy is from 5.2.)
But if you merely want to restrict admin log in access to local or trusted hosts (as tioeudes noted above) you may be better off doing that. The section on restricting administrative access can be found here.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hello
Thx again.
My confusion is that if we have a blocked geography group with some countries in it and we have destination all/service all/action deny (in the IPV4 policy as viewed in gui) then I would expect that if a login attempt from china comes in , the fgt will just check the address, identify it as china and just drop it. If that were so, I should not be seeing alerts that say user "admin" from src china login failed invalid password
that leads me to believe that the vendor did not config correctly. I mean what if they brute force and end up getting in?
Thx
IPV4 policies only covers traffic that crosses an interface - not traffic that "hits" or is directed at the interface itself. I would still have those IPV4 policies in place if you do not want inside endpoints (e.g on the LAN interface) from sending/receiving traffic to/from external addresses outside the fgt to/from a foreign country, especially at odd hours.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I think I am starting to see the light!
To me that distinction (crossing the interf vs hitting the interf) is not clear cut.
So let me ask, if I use the CLI how can I show the config for policies?
How do I list my local-in's for example
how do I list the ones that are not local-in?
Thank you I really appreciate your help
Please review the info on the following link for Local-In policies: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/342743/local-in-policies
Use show firewall policy to list the existing firewall policies. Use show firewall local-in-policy to show existing local-in polices.
Think of local-in policies is controlling administrative/management access to an interface - often this is usually the WAN or WAN1 interface, but could be any interface. The key theme to keep in mind is there are open ports by default on the fgt and local-in policies can be used to control that. That link above (local in policies) gives some examples of this with regards to restricting admin access (during certain times of the day).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
The IPV4 policies are there for traffic passing through the fgt.
The local-in policies are for traffic starting on / directed to your fortigate.
To protect your device from unauthorized admin login you can:
Disable HTTP/HTTPS/SSH/TELNET on you wan interfaces;
Set trusted hosts for your legit admin accounts (that you allow your admin to log only from trusted networks);
Define a password cration policy, forcing the admins to use only strong passwords;
Not an option for everyone, but you can set up two factor authentication for admin logins.
Regards,
tioeudes
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1070 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.