Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

Created on ‎05-26-2023 08:25 PM

What Is Wrong With My FW All Interfaces rule

I configured these 2 firewall rules:

 

Rule 1

From: wan1 , To: Any Interfaces

src: <malicious ip> , destination: all

Schedule: always , Protocol: All

Action: deny

 

Rule 2

From: Any Interfaces, To: wan1 

src: all, destination: <malicious ip> 

Schedule: always, Protocol: All

Action: deny

 

Now I cannot ping or go to the wan interface from internet. Can anyone tell me what is wrong?

I also enabled multiple interfaces under the advanced feature. 

 

 

 

Labels:
1586
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to BusinessUser

Created on ‎05-28-2023 09:35 AM

2. yes

 

3. You didn't say the version of FGT, but my 7.0.11 40F shows below:
screen.png

4. local-in policy is only via CLI as @tthrilok showed. So if you don't know how, you haven't configured. Look at the admin guide below.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/363127/local-in-policies

If none of above is blocking your access, you have to run flow debugging, which is also in CLI, described in Step4 in below KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Toshi

 

View solution in original post

1471
7 REPLIES 7
funkylicious
SuperUser
SuperUser

Created on ‎05-27-2023 05:43 AM

Well, you did say in rule2 that any interface to wan1 should be denied, so no internet.

Are <malicious ip> part of your internal interface(s)? If not, then remove it and allow and nat the traffic in #2.

 

"jack of all trades, master of none"
"jack of all trades, master of none"
1558
0 Kudos
BusinessUser
Contributor
In response to funkylicious

Created on ‎05-27-2023 06:24 AM Edited on ‎05-27-2023 07:52 AM

I dont understand.

What I want is for people who are accessing the malicious traffic to be denied.

They cannot access the malicious traffic but should be able to access the internet.

So why does rule 2 only consider the interfaces?

<malicious ip> is an external ip address. 

I just want people in the internal network not to access that ip address. 

So how should I frame the rule then? 

 

Based on my rules, why am i unable to remote login into the firewall? My source or destination ip does not include the malicious ip in real life.

1553
0 Kudos
funkylicious
SuperUser
SuperUser
In response to BusinessUser

Created on ‎05-27-2023 08:23 AM

oh, my bad. I've misread that you posted cuz of the format.

are these 2 rules the only ones you have ?

"jack of all trades, master of none"
"jack of all trades, master of none"
1529
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-27-2023 09:10 AM

None of two should affect to ability to get in the firewall from the internet side. Only possible causes you might lose it should be:

1. lost the default route through wan1

2. wan1 is not allowing ("allowaccess" )

3. 'trusthost' is configured for admin users

4. local-in policy is configured and blocking access

 

Those interface-interface policies are effective only traffic traversing the FW between interfaces. Remote access is not one of those. Due to this, rule1 wouldn't block anything. Instead, you should consider a local-in policy.

 

Toshi

 

1525
0 Kudos
BusinessUser
Contributor
In response to Toshi_Esumi

Created on ‎05-28-2023 03:20 AM

2.  wan1 is not allowing ("allowaccess" )

Are you referring to ping, ssh, telnet on the wan interface?

 

3. 'trusthost' is configured for admin users

By "trusthost" do you mean an ACL that allow people to remote access?

A screenshot would be great.

 

4. local-in policy is configured and blocking access

I am not sure where to configure a "local-in" policy.

Do you mind guiding me?

A screenshot is best.

1487
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to BusinessUser

Created on ‎05-28-2023 09:35 AM

2. yes

 

3. You didn't say the version of FGT, but my 7.0.11 40F shows below:
screen.png

4. local-in policy is only via CLI as @tthrilok showed. So if you don't know how, you haven't configured. Look at the admin guide below.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/363127/local-in-policies

If none of above is blocking your access, you have to run flow debugging, which is also in CLI, described in Step4 in below KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Toshi

 

1472
tthrilok
Staff
Staff

Created on ‎05-28-2023 02:11 AM

Hi BusinessUser,

 

If these are your firewall rules which you created under Policies&Objects > Firewall Policy. They should not impact your ping to firewall wan interface.

 

Please check if you are having any local in policies using below command:

> show firewall local-in-policy

 

+ Could you confirm if you are seeing the issue only since you created the above rules which you mentioned?

 

Thank you!

1501
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.