Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
moumoumatt
New Contributor

Created on ‎03-11-2015 02:59 AM

Stealth rule

I come from a Check Point background, and the first rule is always the Stealth rule allowing specific IP's/Subnets to the firewalls's on http/https/ssh etc, then dropping all other traffic.  I'm not seeing the firewalls as objects in the objects list to configure this. 

 

I know I'm probably doing something stupid - any help at all?

 

Thanks.

9368
0 Kudos
5 REPLIES 5
ede_pfau
SuperUser
SuperUser

Created on ‎03-11-2015 11:16 AM

Hi,

 

and welcome to the forums, and to the Fortinet realm!

 

In FortiSpeak this is called "local-in" policies. These are not normally visible in the policy table but you can enable them (depending on the firmware version). FortiOS v5 at least, that is.

 

Have a look into the "CLI Reference" for your version and search for "local-in" to get to the (CLI) commands.

I think (don't nail me on this, it's a rare feature) local-in policies are only configured in the CLI ("config firewall local-in-policy").

As for "local-out", there are only options to enable logging of local-out traffic. CLI only, of course.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3220
0 Kudos
moumoumatt
New Contributor
In response to ede_pfau

Created on ‎03-12-2015 02:23 AM

This is great, thanks. 

 

Is there a way of configuring from the Fortimanager?  we manage the firewalls from Fortimanager and I don't want to configure locally on the firewall and it causes a conflict when I update the configuration via Fortimanager.

 

Thanks again.

3220
0 Kudos
Dave_Hall
Honored Contributor
In response to moumoumatt

Created on ‎03-17-2015 12:59 PM

moumoumatt wrote:

Is there a way of configuring from the Fortimanager?  we manage the firewalls from Fortimanager and I don't want to configure locally on the firewall and it causes a conflict when I update the configuration via Fortimanager.

 

You could try creating a script for that local-in-policy, setting it to be applied directly to the Fortigate, policy package, or on the DB. 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
119 KB
3220
0 Kudos
Shawn_W
Contributor

Created on ‎03-17-2015 09:42 AM

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/central_mgmt.101.06...

3220
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-17-2015 12:43 PM

That's a great link but I believe you still can't configure local-in from the fortimanager webinterface.

OP, I haven't been on a fortimanager in ages, but check the config and and then see if you can change the policies viathe interface or if you change it via the "local" access on the FGT does it get overriden?

 

I believe it will not ( just my hunch )

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3220
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.