Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JohnDevNet_FTNT
Staff
Staff

Created on ‎10-27-2016 06:37 PM

Article Id 189942

Technical Note: Restricting IPs to connect to a VPN IPsec

Description
This article explains how to restrict remote IPs that can negotiate a VPN IPsec connection.

Solution
In the following diagram, Firewall IPv4 Policies cannot block this kind of traffic since the traffic destination is the FortiGate itself and the traffic is not passing through.
jdominguez_FD39712_tn_FD39712-1.jpg

A “Local-in Policy” must be configured to for IKE traffic.
 config firewall local-in-policy
    edit 2
        set ha-mgmt-intf-only disable
        set intf "wan1"
        set srcaddr "192.168.157.78_HOST"
        set dstaddr "all"
        set action deny
        set service IKE
        set schedule "always"
        set auto-asic-offload enable
        set status enable
    next
end

  config firewall address
    edit "192.168.157.78_HOST"
        set subnet 192.168.157.78 255.255.255.255
    next
end

2043
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.