Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎02-14-2025 11:45 AM

What is wrong whit this policy?

Hello everybody,

I'm the Fortigate 60F (v7.2.10) admin, and I log into it at:

 

https://vpn.xxx.com:40443/

 

or

 

https://10.1.0.1:40443/

 

I defined a local-in policy to momentaneously deny the access to this page to all the users. All the policy above this one are disabled:

 

edit 5
set uuid d5c73f7a-eae5-51ef-8ecd-4cb99f22bef3
set intf "any"
set srcaddr "all"
set dstaddr "login"
set service "HTTPS-40443"
set schedule "always"
next

 

The dstaddr is: 

 

1.PNG

 

while the service is:

 

2.PNG

 

I should access the login page from everywhere. Why? What I am doing wrong?

 

vpn.xxx.com is a DNS entry: 

 

3.PNG

 

 

RDP
RDP
Labels:
379
0 Kudos
2 Solutions
raffaeledp
Contributor
In response to raffaeledp

Created on ‎02-17-2025 07:10 AM

Hello,

I found the solution. The problem was the address 79.x.x.x. You have to include inside the policy the private address of the interface (192.168.1.4, and not the public 79.x.x.x)

RDP

View solution in original post

RDP
273
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to raffaeledp

Created on ‎02-17-2025 01:49 PM

Hi @raffaeledp ,

 

That's not correct.  The WAN IP is something like you check your PC's WAN IP via https://www.whatismyip.com/ ,  the public IP is not configured on your PC directly. It's a NATted IP by your ISP.

 

It's the same thing for FGT. The real IP configured on the WAN interface on your FGT device is the one you configured, it might be 10.1.0.1 or 192.168.1.4, I don't know which one is because you never showed the FGT WAN interface configuration either in GUI or in CLI.

 

I suspect that 192.168.1.4 is the IP on your FGT WAN interface and 10.1.0.1 is the IP on your internal PC. 

 

That would explain why the local-in policy was not working

Regards,

Jerry

View solution in original post

217
7 REPLIES 7
dingjerry_FTNT
Staff
Staff

Created on ‎02-14-2025 03:57 PM

Hi @raffaeledp ,

 

I tried using your local-in policy configuration and I got blocked.

 

So we can debug with the following commands:

 

diag debug flow show iprope enable

diag debug flow filter proto 6

diag debug flow filter addr 10.1.0.1

diag debug flow filter port 40443

diag debug flow trace start 100

diag debug enable

 

Then try it with https://10.1.0.1:40443/ first

Regards,

Jerry
350
raffaeledp
Contributor
In response to dingjerry_FTNT

Created on ‎02-17-2025 01:25 AM

Hello, you are right. I noticed that when I'm inside the company network (so vpn.xxx.com is directly to 10.1.0.1) I'm blocked. Anyway, when I'm outside, and vpn.xxx.com is resolved to 79.x.x.x, I'm not blocked anymore. I tried to create the same policy (from 6 to 10) with dstaddre "79.x.x.x", but, I can reach vpn.xxx.com:40443. How is it possible? Thanks

RDP
RDP
292
0 Kudos
raffaeledp
Contributor
In response to raffaeledp

Created on ‎02-17-2025 07:10 AM

Hello,

I found the solution. The problem was the address 79.x.x.x. You have to include inside the policy the private address of the interface (192.168.1.4, and not the public 79.x.x.x)

RDP
RDP
274
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to raffaeledp

Created on ‎02-17-2025 09:09 AM

Hi @raffaeledp ,

 

You confused me.

 

In your local-in policy, there was only one specific address "Login" applied and it is defined with this IP 10.1.0.1/32.   There was nothing about 192.168.1.4 for the configuration.

 

So do you mean that your VPN hostname (vpn.xxx.com) was directed to 192.168.1.4, not 10.1.0.1?

Regards,

Jerry
261
0 Kudos
raffaeledp
Contributor
In response to dingjerry_FTNT

Created on ‎02-17-2025 11:01 AM

Hello @dingjerry_FTNT ,

I'm sorry :)

79.x.x.x is the WAN IP.

From the external device, if I ping vpn.xxx.com, 79.x.x.x replies. 

I sniffed some packets on port 40443 filtering for dstaddr 10.1.0.1 and saw that packets were being forwarded from 192.168.1.4, and 192.168.1.4 is the wan interface address.

Screenshot 2025-02-17 alle 19.58.38.png

Screenshot 2025-02-17 alle 19.59.13.png

 

 

RDP
RDP
240
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to raffaeledp

Created on ‎02-17-2025 01:49 PM

Hi @raffaeledp ,

 

That's not correct.  The WAN IP is something like you check your PC's WAN IP via https://www.whatismyip.com/ ,  the public IP is not configured on your PC directly. It's a NATted IP by your ISP.

 

It's the same thing for FGT. The real IP configured on the WAN interface on your FGT device is the one you configured, it might be 10.1.0.1 or 192.168.1.4, I don't know which one is because you never showed the FGT WAN interface configuration either in GUI or in CLI.

 

I suspect that 192.168.1.4 is the IP on your FGT WAN interface and 10.1.0.1 is the IP on your internal PC. 

 

That would explain why the local-in policy was not working

Regards,

Jerry
218
funkylicious
SuperUser
SuperUser

Created on ‎02-15-2025 02:50 AM

hi,

the dns entry is only significant to the firewall locally.

is vpn.xxx.com resolved by the workstation that you are connecting from, to the same private ip, 10.1.0.1 that would also match the object login that you defined in the local-in ?

if so, the commands that @dingjerry_FTNT provided should shed some light.

"jack of all trades, master of none"
"jack of all trades, master of none"
325
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.