Hi All,
I have a question, if i create below local in policy, will it restrict our user to connect VPN from remote network or any internet impact ? this policy is only prevent internet traffic from being able to get to your management services, correct ? Thanks
> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end
Piaakit
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
- Configuring this will not be useful as it will block the communication to the firewall interface such as remote user connecting via SSL VPN if you are using the WAN interface IP as the gateway for the same.
Regards,
Shiva
With that policy, nothing can be terminated at "wan1" port including VPNs, admin GUI(HTTPS/HTTP) and SSH login, FortiManager's access, etc.
But If you don't have NAT and just route through the interface toward other internal interface, the outside-to-inside traffic is not affected. Or even if you NAT it to hide inside, as long as you have VIPs and proper policies to pass the traffic to internal interfaces, that wouldn't be affected by the local-in policy.
Again the local-in policy controls traffic terminated by the FGT at the specified interface, only. No impact to passing-through traffic.
Also it's "local-in" not "local-out". So no impact to traffic initiated by the FGT to somewhere else, like FortiGuard service access, syslog/FortiAnalyzer outgoing traffic, etc.
Toshi
as i have NAT for the 2 x wan interfaces, if i perform above command, it will only apply to internet traffic by accessing to the FG ?
Hi @piaakit1210,
That local-in-policy will block all incoming traffic to the IP address of wan1.
Regards,
When we say "internet traffic", it generally means inside-to-outside (in-to-out) user traffic to access like web sites. It's not affected as I explained above. Only traffic targeting at the interface on the FGT would be blocked, including hack attacks, port scanning, admin access, etc.
Modern FWs, including the FGT, observe traffic based on sessions, which identify which side initiated the session. Like a web access is initiated by internal user sending out TCP SYN to a web site through the FW. The return traffic, TCP SYN-ACK for the web access, from the web site is a part of the session, and the entire exchanges through the session are treated out in-to-out traffic from the FW's (FGT's) perspective. You probably know this already.
Toshi
i have enable below but when i try disable with unset command seem not success, any correct guide can show how to disable ?
> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end
Hi,
You can delete the policy.
-config firewall local-in-policy
- delete 100
Regards,
Shiva
Hi @piaakit1210,
To disable it:
config firewall local-in-policy
edit 100
set status disable
end
Regards,
Hi @piaakit1210
You can check out the KB below on Local-in-policy vs Virtual IP policy. It may related if you want to deny certain source or allow certain source to access to your internal environment.
regards.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.