Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

What Is Wrong With My FW All Interfaces rule

I configured these 2 firewall rules:

 

Rule 1

From: wan1 , To: Any Interfaces

src: <malicious ip> , destination: all

Schedule: always , Protocol: All

Action: deny

 

Rule 2

From: Any Interfaces, To: wan1 

src: all, destination: <malicious ip> 

Schedule: always, Protocol: All

Action: deny

 

Now I cannot ping or go to the wan interface from internet. Can anyone tell me what is wrong?

I also enabled multiple interfaces under the advanced feature. 

 

 

 

1 Solution
Toshi_Esumi

2. yes

 

3. You didn't say the version of FGT, but my 7.0.11 40F shows below:
screen.png

4. local-in policy is only via CLI as @tthrilok showed. So if you don't know how, you haven't configured. Look at the admin guide below.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/363127/local-in-policies

If none of above is blocking your access, you have to run flow debugging, which is also in CLI, described in Step4 in below KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Toshi

 

View solution in original post

7 REPLIES 7
funkylicious
SuperUser
SuperUser

Well, you did say in rule2 that any interface to wan1 should be denied, so no internet.

Are <malicious ip> part of your internal interface(s)? If not, then remove it and allow and nat the traffic in #2.

 

---------------------------
geek
---------------------------
---------------------------geek---------------------------
BusinessUser

I dont understand.

What I want is for people who are accessing the malicious traffic to be denied.

They cannot access the malicious traffic but should be able to access the internet.

So why does rule 2 only consider the interfaces?

<malicious ip> is an external ip address. 

I just want people in the internal network not to access that ip address. 

So how should I frame the rule then? 

 

Based on my rules, why am i unable to remote login into the firewall? My source or destination ip does not include the malicious ip in real life.

funkylicious

oh, my bad. I've misread that you posted cuz of the format.

are these 2 rules the only ones you have ?

---------------------------
geek
---------------------------
---------------------------geek---------------------------
Toshi_Esumi
SuperUser
SuperUser

None of two should affect to ability to get in the firewall from the internet side. Only possible causes you might lose it should be:

1. lost the default route through wan1

2. wan1 is not allowing ("allowaccess" )

3. 'trusthost' is configured for admin users

4. local-in policy is configured and blocking access

 

Those interface-interface policies are effective only traffic traversing the FW between interfaces. Remote access is not one of those. Due to this, rule1 wouldn't block anything. Instead, you should consider a local-in policy.

 

Toshi

 

BusinessUser

2.  wan1 is not allowing ("allowaccess" )

Are you referring to ping, ssh, telnet on the wan interface?

 

3. 'trusthost' is configured for admin users

By "trusthost" do you mean an ACL that allow people to remote access?

A screenshot would be great.

 

4. local-in policy is configured and blocking access

I am not sure where to configure a "local-in" policy.

Do you mind guiding me?

A screenshot is best.

Toshi_Esumi

2. yes

 

3. You didn't say the version of FGT, but my 7.0.11 40F shows below:
screen.png

4. local-in policy is only via CLI as @tthrilok showed. So if you don't know how, you haven't configured. Look at the admin guide below.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/363127/local-in-policies

If none of above is blocking your access, you have to run flow debugging, which is also in CLI, described in Step4 in below KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Toshi

 

tthrilok
Staff
Staff

Hi BusinessUser,

 

If these are your firewall rules which you created under Policies&Objects > Firewall Policy. They should not impact your ping to firewall wan interface.

 

Please check if you are having any local in policies using below command:

> show firewall local-in-policy

 

+ Could you confirm if you are seeing the issue only since you created the above rules which you mentioned?

 

Thank you!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors