Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
create_share
New Contributor II

Restrict Access to the Firewall WAN Interface from Internet

Hi,

 

Is it possible to allow only some IP Addresses and FQDNs to access the firewall WAN interface from the Internet and deny all others?

 

Thanks.

4 Solutions
mgoswami
Staff
Staff

Hi,

 

You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.

You may refer to the below link to configure local-in-policy:


https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy#:~:te....

BR,

Manosh

View solution in original post

mgoswami

Hi,

 

You may do it this way:

config firewall local-in-policy
    edit 1
        set intf "port2"
        set srcaddr "mypc.dydndns.org"   
        set dstaddr "Port2_IP address"  <--- Set it to the WAN IP address which is of Port2
        set action accept
        set service "ALL_ICMP"    <--- select the services which you want to allow
        set schedule "always"
        set auto-asic-offload disable
    next
     edit 10
        set intf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
        set status enable
    next
end

 

 

BR,

Manosh

View solution in original post

parteeksharma

Hi create_share,

You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

Regards,

Parteek
 

View solution in original post

9 REPLIES 9
adambomb1219
SuperUser
SuperUser

Yes, Local In Policy

create_share

Sorry, I am a little new to Fortigate. Is there an article for this?

Dongkwan
mgoswami
Staff
Staff

Hi,

 

You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.

You may refer to the below link to configure local-in-policy:


https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy#:~:te....

BR,

Manosh

create_share

what mistake am I making here as it is not working as expected to allow only my pc and block all others?

 

config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action accept
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next

 

 

 

This one worked.

 

config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate enable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next

 

 

mgoswami

Hi,

 

You may do it this way:

config firewall local-in-policy
    edit 1
        set intf "port2"
        set srcaddr "mypc.dydndns.org"   
        set dstaddr "Port2_IP address"  <--- Set it to the WAN IP address which is of Port2
        set action accept
        set service "ALL_ICMP"    <--- select the services which you want to allow
        set schedule "always"
        set auto-asic-offload disable
    next
     edit 10
        set intf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
        set status enable
    next
end

 

 

BR,

Manosh

Nicolai_Mohr
New Contributor

Hi create_share,

 

what I can see is that in your first policy you only allowed ping and https, as where you denied Ping and HTTPS in the second policy. If you want to enable all services, you should allow the service "ALL"

 

Kind regards,

Nicolai

parteeksharma

Hi create_share,

You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

Regards,

Parteek
 

create_share

Ok. Thanks to All.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors