FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddsouza_FTNT
Staff
Staff
Article Id 191493

Description

 

This article describes how to block all unwanted ISAKMP attempts.
Opening of ISAKMP (UDP 500 or 4500) port on the FortiGate device to all may cause security vulnerability and ISAKMP DOS attack that would result in compromising preshared key (if VPN is configured by aggressive mode) and overloading the CPU with multiple requests eventually filling up needed buffer space.


Scope

 

FortiGate or VDOM in NAT mode or Transparent mode.


Solution

 

(LAN SUBNET) --- port1 (FortiGate) --- wan1 --- Internet

Configuration

1) Create firewall address objects for the ip address of the client and the wan1 interface ip address. CLI is used in this example:

# config firewall address
    edit "allowIP"
      set subnet x.x.x.x 255.255.255.255
    next
    edit "waninterfaceip"
      set subnet y.y.y.y 255.255.255.255
  end


2) Create a custom service object for ISAKMP (UDP 500 or 4500):

# config firewall service custom
    edit "isakmp_500"
      set tcp-portrange 0
      set udp-portrange 500
    next
    edit "isakmp_4500"
      set tcp-portrange 0
      set udp-portrange 4500
  end

3) Create local in policies to allow the ISAKMP traffic only from the allowed IP:

# config firewall local-in-policy
    edit 1
      set intf WAN
      set srcaddr allowIP
      set dstaddr waninterfaceip
      set action accept
      set service isakmp_500 isakmp_4500
      set schedule always
      set status enable
    next
    edit 2
      set intf WAN
      set srcaddr all
      set dstaddr waninterfaceip
      set action deny
      set service isakmp_500 isakmp_4500
      set schedule always
      set status enable
    next
  end


where x.x.x.x is the IP address of the VPN client and y.y.y.y is the IP address of the wan1 interface IP address of the firewall.

Note: By using Local in policy, the UDP 500/4500 traffic cannot block from an IP address that is already defined as a peer IP address in site to site VPN policy.

Verification

Run the debug flow commands for the verification. The FortiGate should be seen to drop the packets because of local-in-policy.

FGT90D3Z13004772 # id=20085 trace_id=25 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, 172.26.48.86:500->172.26.48.73:500) from wan1. "
id=20085 trace_id=25 func=init_ip_session_common line=4522 msg="allocate a new session-001cd10f"
id=20085 trace_id=25 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"
id=20085 trace_id=26 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=17, 172.26.48.86:500->172.26.48.73:500) from wan1. "
id=20085 trace_id=26 func=init_ip_session_common line=4522 msg="allocate a new session-001cd11d"
id=20085 trace_id=26 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 2, drop"
Contributors