# config firewall local-in-policy
edit 1
set intf “wan1” <----- Or whichever interface the VPN is accessible via.
set srcaddr “Allowed_IP_Sec_IP” <----- The name given in 2).
set dstaddress “WAN_IP” <----- The name given in 1).
set action accept <----- Allow the connection.
set service “IKE” <----- This is a built in service for UDP port 500 and port 4500 as used by IPsec.
set schedule “always’ <----- Always allow the policy.
next
end
# config firewall local-in-policyNOTE! When configuring local-in policies please make sure that the first policy is to allow the access from the trusted sources, and second policy to deny rest sources that are not included in the first policy.
edit 2
set intf “wan1” <----- Or whichever interface the VPN is accessible via.
set srcaddr “all” <----- In the first policy, there are specified trusted sources, in this policy sources 'all' will be used.
set dstaddress “WAN_IP” <----- The name given 1).
set action deny <----- Deny the connection from the rest sources that are not present in the first local-in policy.
set service “IKE” <----- This is a built in service for UDP port 500 and port 4500 as used by IPsec.
set schedule “always’ <----- Always allow the policy.
next
end
# config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "GEO-IP - Canada" "G - ALL PRIVATE ADDRESS RANGES" "GEO-IP - USA"
set dstaddr "WAN_IP"
set action accept
set service "IKE"
set schedule "always"
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "WAN_IP"
set service "IKE"
set schedule "always"
next
end
# diagnose debug disableWhen traffic is blocked, debug output will be visible with message:
# diagnose debug reset
# diagnose debug flow filter clear
# diagnose debug flow show function-name enable
# diagnose debug flow filter daddr x.x.x.x <----- x.x.x.x will be the WAN1 IP address.
# diagnose debug flow filter port 500
# diagnose debug flow trace start 100
# diagnose debug enable
msg="iprope_in_check() check failed on policy 2, drop"To disable debug:
# diagnose debug disableFurther information on FortiGate Local-In Firewall Policies can be found here.
# diagnose debug reset
# diagnose debug flow filter clear
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.