Hi
I have configured ipsec remote access vpn and I want to allow only IPs from united kingdom to be able to connect to my FGT. how can i do that?
Solved! Go to Solution.
Created on 01-03-2024 08:23 AM Edited on 01-03-2024 08:23 AM
Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."
For the deny rule you can use one entry: set intf "any"
config firewall local-in-policy
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "eth1" "eth0"
set service "IKE"
set schedule "always"
Created on 01-03-2024 01:54 AM Edited on 01-03-2024 01:54 AM
Hi,
Firewall policies are mostly for traffic for inter-interface traffic, for example LAN to WAN, WAN to LAN when using VIPs, etc.
For traffic towards a particular interface, WAN to WAN in your case, you would need local-in policy.
Firewall policy will only control the traffic traversing the tunnel once it is already established.
@ebilcari's article is your best bet. Using the address object mentioned earlier, you can use the template below, but there are some caveats:
config firewall local-in-policy
edit 0
set intf "any" # or whatever external interface you use for IPsec VPN. Better to be specific
set srcaddr "Geo_UK" # maybe create an address group, so you can add any other peers you need without editing the rule directly.
set dstaddr "all" # or the specific IP listening for IKE requests
set action accept
set service "IKE"
set schedule "always"
next
edit 0
set intf "any" # or whatever external interface you use for IPsec VPN. Better to be specific
set srcaddr "all"
set dstaddr "all" # or the specific IP listening for IKE requests
# no need to set an action here, the default is deny
set service "IKE"
set schedule "always"
next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.