Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
piaakit1210
New Contributor III

Policy-in-policy question

Hi All, 

 

           I have a question, if i create below local in policy, will it restrict our user to connect VPN from remote network or any internet impact ? this policy is only prevent internet traffic from being able to get to your management services, correct ? Thanks 

 

> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end

 

Piaakit  

10 REPLIES 10
smaruvala
Staff
Staff

Hi,

 

- Configuring this will not be useful as it will block the communication to the firewall interface such as remote user connecting via SSL VPN if you are using the WAN interface IP as the gateway for the same.

 

Regards,

Shiva

Toshi_Esumi
Esteemed Contributor III

With that policy, nothing can be terminated at "wan1" port including VPNs, admin GUI(HTTPS/HTTP) and SSH login, FortiManager's access, etc.
But If you don't have NAT and just route through the interface toward other internal interface, the outside-to-inside traffic is not affected. Or even if you NAT it to hide inside, as long as you have VIPs and proper policies to pass the traffic to internal interfaces, that wouldn't be affected by the local-in policy.

Again the local-in policy controls traffic terminated by the FGT at the specified interface, only.  No impact to passing-through traffic.

Also it's "local-in" not "local-out". So no impact to traffic initiated by the FGT to somewhere else, like FortiGuard service access, syslog/FortiAnalyzer outgoing traffic, etc.

 

Toshi

piaakit1210
New Contributor III

as i have NAT for the 2 x wan interfaces, if i perform above command, it will only apply to internet traffic by accessing to the FG ? 

hbac

Hi @piaakit1210

 

That local-in-policy will block all incoming traffic to the IP address of wan1. 

 

Regards, 

Toshi_Esumi
Esteemed Contributor III

When we say "internet traffic", it generally means inside-to-outside (in-to-out) user traffic to access like web sites. It's not affected as I explained above. Only traffic targeting at the interface on the FGT would be blocked, including hack attacks, port scanning, admin access, etc.


Modern FWs, including the FGT, observe traffic based on sessions, which identify which side initiated the session. Like a web access is initiated by internal user sending out TCP SYN to a web site through the FW. The return traffic, TCP SYN-ACK for the web access, from the web site is a part of the session, and the entire exchanges through the session are treated out in-to-out traffic from the FW's (FGT's) perspective. You probably know this already. 

 

Toshi

piaakit1210
New Contributor III

i have enable below but when i try disable with unset command seem not success, any correct guide can show how to disable ?

 

> config firewall local-in-policy
> edit 100
> set intf “wan1”
> set srcaddr “all”
> set dstaddr “all”
> set service “ALL”
> set schedule “always”
> set action deny
> next
> end

smaruvala

Hi,

 

You can delete the policy.

 

-config firewall local-in-policy 

- delete 100

 

Regards,

Shiva

hbac

Hi @piaakit1210,

 

To disable it:

 

config firewall local-in-policy 

edit 100 

set status disable 

end 

 

Regards, 

aabdhadi
Staff
Staff

Hi @piaakit1210 

You can check out the KB below on Local-in-policy vs Virtual IP policy. It may related if you want to deny certain source or allow certain source to access to your internal environment.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-In-Policy-VS-Virtual-IP-Policy/ta-p/...

 

regards.

Aufa Abd Hadi
Labels
Top Kudoed Authors