Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
create_share
New Contributor

Created on ‎06-26-2023 04:23 PM

Restrict Access to the Firewall WAN Interface from Internet

Hi,

 

Is it possible to allow only some IP Addresses and FQDNs to access the firewall WAN interface from the Internet and deny all others?

 

Thanks.

Labels:
5452
0 Kudos
4 Solutions
mgoswami
Staff
Staff

Created on ‎06-27-2023 01:32 AM

Hi,

 

You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.

You may refer to the below link to configure local-in-policy:


https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy#:~:te....

BR,

Manosh

View solution in original post

5399
0 Kudos
mgoswami
Staff
Staff
In response to create_share

Created on ‎06-30-2023 02:30 AM

Hi,

 

You may do it this way:

config firewall local-in-policy
    edit 1
        set intf "port2"
        set srcaddr "mypc.dydndns.org"   
        set dstaddr "Port2_IP address"  <--- Set it to the WAN IP address which is of Port2
        set action accept
        set service "ALL_ICMP"    <--- select the services which you want to allow
        set schedule "always"
        set auto-asic-offload disable
    next
     edit 10
        set intf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
        set status enable
    next
end

 

 

BR,

Manosh

View solution in original post

5337
0 Kudos
parteeksharma
Staff
Staff

Created on ‎07-04-2023 06:08 AM

Hi create_share,

You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

Regards,

Parteek
 

View solution in original post

5292
0 Kudos
9 REPLIES 9
adambomb1219
SuperUser
SuperUser

Created on ‎06-26-2023 05:05 PM

Yes, Local In Policy

5442
0 Kudos
create_share
New Contributor
In response to adambomb1219

Created on ‎06-26-2023 05:17 PM

Sorry, I am a little new to Fortigate. Is there an article for this?

5438
0 Kudos
Dongkwan
Staff
Staff
In response to create_share

Created on ‎06-26-2023 09:27 PM

Hello,

 

The link below would be helpful for you.

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-Deny-a-Port-with-a-Local-In-Policy...

Kwan
5413
0 Kudos
mgoswami
Staff
Staff

Created on ‎06-27-2023 01:32 AM

Hi,

 

You may create a Local in policy on the FortiGate to control inbound traffic that is going to a FortiGate interface.

You may refer to the below link to configure local-in-policy:


https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy#:~:te....

BR,

Manosh

5400
0 Kudos
create_share
New Contributor
In response to mgoswami

Created on ‎06-27-2023 08:19 AM Edited on ‎06-27-2023 09:05 AM

what mistake am I making here as it is not working as expected to allow only my pc and block all others?

 

config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate disable
set dstaddr "all"
set dstaddr-negate disable
set action accept
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next

 

 

 

This one worked.

 

config firewall local-in-policy
edit 1
set intf "port2"
set srcaddr "mypc.dydndns.org"
set srcaddr-negate enable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "PING" "HTTPS"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next

 

 

5384
0 Kudos
mgoswami
Staff
Staff
In response to create_share

Created on ‎06-30-2023 02:30 AM

Hi,

 

You may do it this way:

config firewall local-in-policy
    edit 1
        set intf "port2"
        set srcaddr "mypc.dydndns.org"   
        set dstaddr "Port2_IP address"  <--- Set it to the WAN IP address which is of Port2
        set action accept
        set service "ALL_ICMP"    <--- select the services which you want to allow
        set schedule "always"
        set auto-asic-offload disable
    next
     edit 10
        set intf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "ALL_ICMP"
        set schedule "always"
        set auto-asic-offload disable
        set status enable
    next
end

 

 

BR,

Manosh

5338
0 Kudos
Nicolai_Mohr
New Contributor

Created on ‎06-28-2023 07:08 AM

Hi create_share,

 

what I can see is that in your first policy you only allowed ping and https, as where you denied Ping and HTTPS in the second policy. If you want to enable all services, you should allow the service "ALL"

 

Kind regards,

Nicolai

5365
0 Kudos
parteeksharma
Staff
Staff

Created on ‎07-04-2023 06:08 AM

Hi create_share,

You can also restrict the firewall access using "trusted host" options on fortigate. Kindly check below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

Regards,

Parteek
 

5293
0 Kudos
create_share
New Contributor
In response to parteeksharma

Created on ‎07-04-2023 07:56 PM

Ok. Thanks to All.

5277
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.