Policy-in-policy question

piaakit1210 · ‎12-20-2023

Hi All,

I have a question, if i create below local in policy, will it restrict our user to connect VPN from remote network or any internet impact ? this policy is only prevent internet traffic from being able to get to your management services, correct ? Thanks

> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end

Piaakit

smaruvala · ‎12-20-2023

Hi,

- Configuring this will not be useful as it will block the communication to the firewall interface such as remote user connecting via SSL VPN if you are using the WAN interface IP as the gateway for the same.

Regards,

Shiva

Toshi_Esumi · ‎12-20-2023

With that policy, nothing can be terminated at "wan1" port including VPNs, admin GUI(HTTPS/HTTP) and SSH login, FortiManager's access, etc.
But If you don't have NAT and just route through the interface toward other internal interface, the outside-to-inside traffic is not affected. Or even if you NAT it to hide inside, as long as you have VIPs and proper policies to pass the traffic to internal interfaces, that wouldn't be affected by the local-in policy.

Again the local-in policy controls traffic terminated by the FGT at the specified interface, only. No impact to passing-through traffic.

Also it's "local-in" not "local-out". So no impact to traffic initiated by the FGT to somewhere else, like FortiGuard service access, syslog/FortiAnalyzer outgoing traffic, etc.

Toshi

piaakit1210 · ‎12-20-2023

as i have NAT for the 2 x wan interfaces, if i perform above command, it will only apply to internet traffic by accessing to the FG ?

hbac · ‎12-21-2023

Hi @piaakit1210,

That local-in-policy will block all incoming traffic to the IP address of wan1.

Regards,

Toshi_Esumi · ‎12-21-2023

When we say "internet traffic", it generally means inside-to-outside (in-to-out) user traffic to access like web sites. It's not affected as I explained above. Only traffic targeting at the interface on the FGT would be blocked, including hack attacks, port scanning, admin access, etc.

Modern FWs, including the FGT, observe traffic based on sessions, which identify which side initiated the session. Like a web access is initiated by internal user sending out TCP SYN to a web site through the FW. The return traffic, TCP SYN-ACK for the web access, from the web site is a part of the session, and the entire exchanges through the session are treated out in-to-out traffic from the FW's (FGT's) perspective. You probably know this already.

Toshi

piaakit1210 · ‎12-21-2023

i have enable below but when i try disable with unset command seem not success, any correct guide can show how to disable ?

> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end

smaruvala · ‎12-21-2023

Hi,

You can delete the policy.

-config firewall local-in-policy

- delete 100

Regards,

Shiva

hbac · ‎12-21-2023

Hi @piaakit1210,

To disable it:

config firewall local-in-policy

edit 100

set status disable

end

Regards,

aabdhadi · ‎12-26-2023

Hi @piaakit1210

You can check out the KB below on Local-in-policy vs Virtual IP policy. It may related if you want to deny certain source or allow certain source to access to your internal environment.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-In-Policy-VS-Virtual-IP-Policy/ta-p/...

regards.

Aufa Abd Hadi