Hi,
Is it possible to allow only some IP Addresses and FQDNs to access the firewall WAN interface from the Internet and deny all others?
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
The link below would be helpful for you.
Hi,
You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.
You may refer to the below link to configure local-in-policy:
BR,
Manosh
Hi,
You may do it this way:
config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set dstaddr "Port2_IP address" <--- Set it to the WAN IP address which is of Port2
set action accept
set service "ALL_ICMP" <--- select the services which you want to allow
set schedule "always"
set auto-asic-offload disable
next
edit 10
set intf "port2"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL_ICMP"
set schedule "always"
set auto-asic-offload disable
set status enable
next
end
BR,
Manosh
Hi create_share,
You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...
Regards,
Parteek
Yes, Local In Policy
Sorry, I am a little new to Fortigate. Is there an article for this?
Hello,
The link below would be helpful for you.
Hi,
You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.
You may refer to the below link to configure local-in-policy:
BR,
Manosh
Created on 06-27-2023 08:19 AM Edited on 06-27-2023 09:05 AM
what mistake am I making here as it is not working as expected to allow only my pc and block all others?
config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action accept
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next
This one worked.
config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate enable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next
Hi,
You may do it this way:
config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set dstaddr "Port2_IP address" <--- Set it to the WAN IP address which is of Port2
set action accept
set service "ALL_ICMP" <--- select the services which you want to allow
set schedule "always"
set auto-asic-offload disable
next
edit 10
set intf "port2"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL_ICMP"
set schedule "always"
set auto-asic-offload disable
set status enable
next
end
BR,
Manosh
Hi create_share,
what I can see is that in your first policy you only allowed ping and https, as where you denied Ping and HTTPS in the second policy. If you want to enable all services, you should allow the service "ALL"
Kind regards,
Nicolai
Hi create_share,
You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...
Regards,
Parteek
Ok. Thanks to All.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.