Newbie - Re: fortigate 90E login failed alerts from blocked countries
We, as others, are trying to block certain repeat offender (countries) from attempting to and/or accessing our firewall.
We have a blocked-countries-group working with a deny all policy at the top of the list. I receive admin alerts and I get several login attempts with src IP belonging to countries from that group. Should that be happening? I thought having that policy in place would essentially result in any and all packets coming from the blocked countries to just be dropped
The fgt has a number of "open" ports that it listens in on, including ports for administrative access. Local-in policies (for the most part) are meant to control (block or allow) this access.
Here is a script example:
config firewall address edit "China-Country" set type geography set associated-interface "wan1" set country "CN" nextend
config firewall addrgrp edit "blocked-countries-group" set member "China-Country" nextend
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "blocked-countries-group" set dstaddr "all" set service "ALL" set schedule "always" nextend
(code snippy is from 5.2.)
But if you merely want to restrict admin log in access to local or trusted hosts (as tioeudes noted above) you may be better off doing that. The section on restricting administrative access can be found here.
My confusion is that if we have a blocked geography group with some countries in it and we have destination all/service all/action deny (in the IPV4 policy as viewed in gui) then I would expect that if a login attempt from china comes in , the fgt will just check the address, identify it as china and just drop it. If that were so, I should not be seeing alerts that say user "admin" from src china login failed invalid password
that leads me to believe that the vendor did not config correctly. I mean what if they brute force and end up getting in?
IPV4 policies only covers traffic that crosses an interface - not traffic that "hits" or is directed at the interface itself. I would still have those IPV4 policies in place if you do not want inside endpoints (e.g on the LAN interface) from sending/receiving traffic to/from external addresses outside the fgt to/from a foreign country, especially at odd hours.
Use show firewall policy to list the existing firewall policies.
Use showfirewall local-in-policy to show existing local-in polices.
Think of local-in policies is controlling administrative/management access to an interface - often this is usually the WAN or WAN1 interface, but could be any interface. The key theme to keep in mind is there are open ports by default on the fgt and local-in policies can be used to control that. That link above (local in policies) gives some examples of this with regards to restricting admin access (during certain times of the day).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.