Hi,
My fortigate has the LAN IP 172.28.75.1/24. on this interface, I enabled the ping and https service for administration. My admin user has trustedhost specified (172.28.75.0/24). So, I'm able to ping from my LAN network. That's OK.
My problem is : I've a VPN with a juniper, and I've configured the VPN monitor (this is icmp request to check if the VPN is UP), but my fortigate don't response, because my juniper's LAN is 10.0.0.0/24 (not in trustedhost).
How can I enabling the ping from subnet 10.0.0.0/24, without enabling the administration of my fortigate?
I already try with local-in-policy, but it's look like the action "accept" doesn't work..
Thanks in advance
Lucas
Solved! Go to Solution.
While CL's suggestion has merit, this creates placeholder admin accounts for the sole purpose of allowing or denying selective administrative access from certain subnets.
Using trusted hosts has caused more trouble than it's sometimes worth. Without naming names, a college granted GUI access to their IT department, but also instructed end users to troubleshoot by pinging their local gateway before opening a support ticket. The college restricted GUI access to the IT subnet using trusted hosts, rendering ping unavailable from outside that subnet.
The solution was to move away from trusted hosts completely (so in your case, zero out the restriction), and once administrative access is opened the way you want on all interfaces, use local-in policies on their own to apply selective access.
config firewall local-in policy
edit 1
set intf internal
set srcaddr all
set dstaddr all
set schedule always
set service ALL_ICMP
set action accept
set status enable
next
edit 2
set intf internal
set srcaddr "lan_subnet"
set dstaddr "all"
set schedule always
set service HTTP HTTPS
set action accept
set status enable
end
The commands should work, more or less, if you create a "lan_subnet" address object for 172.28.75.0/24 first - I just dashed them off, so let me know if you go this route and have any errors with the syntax.
Regards, Chris McMullan Fortinet Ottawa
One way to accomplish this would be to create an admin profile named "Ping Only". For access control select "none" for all the options.
Then create an administrator using the admin profile of "Ping Only" and assign a trusted host of the 10.0.0.0/24 network.
You should then be able to only ping from the 10.0.0.0/24 network without allowing any administration from that network.
I believe source interface is correct, as it is a local in policy there is no destination interface.
While CL's suggestion has merit, this creates placeholder admin accounts for the sole purpose of allowing or denying selective administrative access from certain subnets.
Using trusted hosts has caused more trouble than it's sometimes worth. Without naming names, a college granted GUI access to their IT department, but also instructed end users to troubleshoot by pinging their local gateway before opening a support ticket. The college restricted GUI access to the IT subnet using trusted hosts, rendering ping unavailable from outside that subnet.
The solution was to move away from trusted hosts completely (so in your case, zero out the restriction), and once administrative access is opened the way you want on all interfaces, use local-in policies on their own to apply selective access.
config firewall local-in policy
edit 1
set intf internal
set srcaddr all
set dstaddr all
set schedule always
set service ALL_ICMP
set action accept
set status enable
next
edit 2
set intf internal
set srcaddr "lan_subnet"
set dstaddr "all"
set schedule always
set service HTTP HTTPS
set action accept
set status enable
end
The commands should work, more or less, if you create a "lan_subnet" address object for 172.28.75.0/24 first - I just dashed them off, so let me know if you go this route and have any errors with the syntax.
Regards, Chris McMullan Fortinet Ottawa
Thanks guys for these responses.
I removed the restrictedhost and added local-in-policy, and all works fine. But just for confirmation, the "intf" is the destination interface ? correct ? the "help" tells me that :
*intf Source interface name.
-> it should be destination interface name ?
Thanks for your quick response!
Best to think of it as "the interface the traffic arrives on" which targets the FortiGate itself as the destination.
Regards, Chris McMullan Fortinet Ottawa
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.