Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: black list public ip IKE protocol
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
black list public ip IKE protocol
Hi,
I use FG600D (Fortios V5.4.5) with 30 VPN (IKE) but since few weeks i have trouble with some public ip like 216.218.206.126. Each night i have a lot of attempts to establish VPN IKE. This public ip is not public ip of my company.
For example :
Message meets Alert condition
date=2018-06-03 time=04:47:33 devname=FW-BLC-1 devid=FGT6HDXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=[style="background-color: #ffff00;"]216.218.206.102[/style] locip=xxx.xxx.xxx.xxx remport=24916 locport=500 outintf="IP-Pub-Complete" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR
I try to use local in policy but i don't understand how. In my all Fortigate i saw local in policy in GUI but in CLI i have nothing.
Please could you tell me if it's the good way to block unwanted public ip ? and if it's the good way could you explained me how can i do ?
In Example i found, all people explain to choose wan interface for source but i don't know which destination interface i must select.
Thank you,
François
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, There is a similar post here https://forum.fortinet.com/tm.aspx?tree=true&m=160521&mpage=1 that should help. Best, Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
________________________________________________________--- NSE 4
---________________________________________________________
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Markus for your reply but i don't understand why i can't see local policy in CLI ?
In example gave by Stuart he explained i use "edit 1" but in my case i don't have any policy. If i do "edit 1" i create a new policy.
At the same time in GUI i have aproximatively 80 or 100 local in policy.
Thank you for help,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think local-in policy is available in GUI. You must be talking about regular firewall/security policies in GUI. If you don't see anything under "configure firewall local-in-policy", you don't have "local-in" policy yet. So edit 1 or edit 0 create a new policy with id:1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you Toshi,
I create local in policy but is nbot working like i want.
I add 4 rules in local in policy
config firewall local-in-policy
edit 1
set ha-mgmt-intf-only disable
set intf "Orange-Fibre"
set srcaddr "Block-IP-1"
set dstaddr "all"
set action deny
set service "IKE"
set schedule "always"
set status enable
next
edit 2
set ha-mgmt-intf-only disable
set intf "Orange-Fibre"
set srcaddr "Block-IP-1"
set dstaddr "all"
set action deny
set service "ESP"
set schedule "always"
set status enable
next
edit 3
set ha-mgmt-intf-only disable
set intf "Orange-Fibre"
--More-- set srcaddr "all"
set dstaddr "MyPulbic"
set action accept
set service "IKE"
set schedule "always"
set status enable
next
edit 4
set ha-mgmt-intf-only disable
set intf "Orange-Fibre"
set srcaddr "all"
set dstaddr "MyPulbic"
set action accept
set service "ESP"
set schedule "always"
set status enable
next
end
My idea for test is to block only one public ip of another Fortigate i manage.
Public ip of another fortigate is in srcaddr "Block-IP-1"
When i apply this rules my VPN doesn't stop and continue to work. I try to bring downd and bring up but VPN continue to work.
Perhaps i don't undrstand something ?
Thank you for your help,
François
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the interface "Orange-Fibre" the IPSec interface or a physical interface? In the thread Markus pointed to had an IPSec interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
I added a screenshot to show you. In fact i apply to wan interface and not to IPSEC interface.
I don't understand why i must apply to IPSEC interface ? if i want to block some bad public ip to mount IPSEC i don't create an interface IPSEC for it.
This morning i modify local in policy and i replace :
set service IKE
by
set service ALL
In this case the first Fortigate (which i apply local in policy), tunnel continue to bring up but on another side of VPN the second Fortigate show tunnel down. I think it's normal because flow is sending by first fortigate and it use the same chanel for reply (it's just an idea)
In my test configuration i think i must apply local in policy on two fortigate because each one can initialize IPSEC. In case of bad public ip which want to try open IPSEC is different.
I'll keep you informed and if you could confirm different idea ?
François
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi François Here's my config. I only enable Swiss IPs to connect (IPSec and SIP) to my Wan Interface (in your case it's the Orange I assume). config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "zGeoSwiss" set dstaddr "all" set action accept set service "GRE" "IKE" "SIP" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "IKE" "GRE" "SIP" set schedule "always" next end First you have to enable all sources that are allowed to use the defined Services. Then you block all others (edit 2).
I hope this clarify how the local-in policy works. Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
________________________________________________________--- NSE 4
---________________________________________________________
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For convenience, you can find configs for all countries, converted to address objects and an address group, on my website.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
Thank you for all to your answers.
@Toshi: I don't create interface-mode IPSec vpn, i just only want to reject public ip which want to use IKe.
@Bruno: Yes i know shadowserver but it's not really good to receive 50 or 60 emails by night. I prefer reject this public ip and some other to be sure.
@Markus: Good i think it's the similar configuration i have today, but i think you forgot "set action Deny" on Edit 2 isn't it ?
@ede_pfau: It's another good solution but i keep you idea.
Best regards,
François
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Switching from Sophos need some info... 314 Views
- IOS Native IPSEC full tunnel doesn't... 931 Views
- Need help to debug IPSEC VPN 502 Views
- Remote VPN Issue 476 Views
- Fortigate with Mikrotik Site to site... 4995 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.