Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

enable ping on lan interface

Hi,

 

My fortigate has the LAN IP 172.28.75.1/24. on this interface, I enabled the ping and https service for administration. My admin user has trustedhost specified (172.28.75.0/24). So, I'm able to ping from my LAN network. That's OK.

 

My problem is : I've a VPN with a juniper, and I've configured the VPN monitor (this is icmp request to check if the VPN is UP), but my fortigate don't response, because my juniper's LAN is 10.0.0.0/24 (not in trustedhost).

 

How can I enabling the ping from subnet 10.0.0.0/24, without enabling the administration of my fortigate?

 

I already try with local-in-policy, but it's look like the action "accept" doesn't work..

 

Thanks in advance

 

Lucas

1 Solution
Christopher_McMullan

While CL's suggestion has merit, this creates placeholder admin accounts for the sole purpose of allowing or denying selective administrative access from certain subnets.

 

Using trusted hosts has caused more trouble than it's sometimes worth. Without naming names, a college granted GUI access to their IT department, but also instructed end users to troubleshoot by pinging their local gateway before opening a support ticket. The college restricted GUI access to the IT subnet using trusted hosts, rendering ping unavailable from outside that subnet.

 

The solution was to move away from trusted hosts completely (so in your case, zero out the restriction), and once administrative access is opened the way you want on all interfaces, use local-in policies on their own to apply selective access.

config firewall local-in policy

edit 1

set intf internal

set srcaddr all

set dstaddr all

set schedule always

set service ALL_ICMP

set action accept

set status enable

next

edit 2

set intf internal

set srcaddr "lan_subnet"

set dstaddr "all"

set schedule always

set service HTTP HTTPS

set action accept

set status enable

end

 

The commands should work, more or less, if you create a "lan_subnet" address object for 172.28.75.0/24 first - I just dashed them off, so let me know if you go this route and have any errors with the syntax.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

5 REPLIES 5
CL
New Contributor

One way to accomplish this would be to create an admin profile named "Ping Only".  For access control select "none" for all the options.

 

Then create an administrator using the admin profile of "Ping Only" and assign a trusted host of the 10.0.0.0/24 network.

 

You should then be able to only ping from the 10.0.0.0/24 network without allowing any administration from that network.

 

CL
New Contributor

I believe source interface is correct, as it is a local in policy there is no destination interface.

Christopher_McMullan

While CL's suggestion has merit, this creates placeholder admin accounts for the sole purpose of allowing or denying selective administrative access from certain subnets.

 

Using trusted hosts has caused more trouble than it's sometimes worth. Without naming names, a college granted GUI access to their IT department, but also instructed end users to troubleshoot by pinging their local gateway before opening a support ticket. The college restricted GUI access to the IT subnet using trusted hosts, rendering ping unavailable from outside that subnet.

 

The solution was to move away from trusted hosts completely (so in your case, zero out the restriction), and once administrative access is opened the way you want on all interfaces, use local-in policies on their own to apply selective access.

config firewall local-in policy

edit 1

set intf internal

set srcaddr all

set dstaddr all

set schedule always

set service ALL_ICMP

set action accept

set status enable

next

edit 2

set intf internal

set srcaddr "lan_subnet"

set dstaddr "all"

set schedule always

set service HTTP HTTPS

set action accept

set status enable

end

 

The commands should work, more or less, if you create a "lan_subnet" address object for 172.28.75.0/24 first - I just dashed them off, so let me know if you go this route and have any errors with the syntax.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

hklb
Contributor II

Thanks guys for these responses.

 

I removed the restrictedhost and added local-in-policy, and all works fine. But just for confirmation, the "intf" is the destination interface ? correct ? the "help" tells me that :

*intf                 Source interface name.

-> it should be destination interface name ?

 

Thanks for your quick response!

Christopher_McMullan

Best to think of it as "the interface the traffic arrives on" which targets the FortiGate itself as the destination.

Regards, Chris McMullan Fortinet Ottawa