Fortinet black logo

Handbook

Local-In policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:342743
Download PDF

Local-In policies

On the FortiGate unit, there are a number of protocols and traffic that is specific to the internal workings of FortiOS. For many of these traffic sources, you can identify a specific port/IP address for this self-originating traffic. The following traffic can be configured to a specific port/IP address:

  • SNMP
  • Syslog
  • alert email
  • FortiManager connection IP
  • FortiGuard services
  • FortiAnalyzer logging
  • NTP
  • DNS
  • Authorization requests such as RADIUS
  • FSSO

Security policies control the flow of traffic through the FortiGate unit. The FortiGate unit also includes the option of controlling internal traffic, that is, management traffic.

Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow all users all access. Local-in policies takes this a step further, to enable or restrict the user with that access. This also extends beyond the allow access selection.

Local-in policies are configured in the CLI with the commands:

config firewall local-in-policy

edit <policy_number>

set intf <source_interface>

set srcaddr <source_address>

set dstaddr <destination_address>

set action {accept | deny}

set service <service name>

set schedule <schedule_name>

set comments <string>

end

For example, you can configure a local-in policy so that only administrators can access the FortiGate unit on weekends from a specific management computer at 192.168.21.12, represented by the address object mgmt-comp1, using SSH on port 3 (192.168.21.77 represented by the address object FG-port3) using the Weekend schedule which defines the time the of access.

config firewall local-in-policy

edit <1>

set intf port3

set srcaddr mgmt-comp1

set dstaddr FG-port3

set action accept

set service SSH

set schedule Weekend

end

You can also disable a policy should there be a requirement to turn off a policy for troubleshooting or other purpose. To disable a policy enter the commands:

config firewall local-in-policy

edit <policy_number>

set status disable

end

Use the same commands with a status of enable to use the policy again.

It is also an option to dedicate the interface as HA management interface by using the setting:

set ha-mgmt-intf-only enable

Local-in policies are also supported for IPv6 by entering the command:

config firewall local-in-policy6.

tooltip icon While there is a section under Policy & Objects for viewing the existing Local In Policy configuration, policies cannot be created or edited here in the GUI. The Local In polices can only be created or edited in the CLI.

Local-In policies

On the FortiGate unit, there are a number of protocols and traffic that is specific to the internal workings of FortiOS. For many of these traffic sources, you can identify a specific port/IP address for this self-originating traffic. The following traffic can be configured to a specific port/IP address:

  • SNMP
  • Syslog
  • alert email
  • FortiManager connection IP
  • FortiGuard services
  • FortiAnalyzer logging
  • NTP
  • DNS
  • Authorization requests such as RADIUS
  • FSSO

Security policies control the flow of traffic through the FortiGate unit. The FortiGate unit also includes the option of controlling internal traffic, that is, management traffic.

Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow all users all access. Local-in policies takes this a step further, to enable or restrict the user with that access. This also extends beyond the allow access selection.

Local-in policies are configured in the CLI with the commands:

config firewall local-in-policy

edit <policy_number>

set intf <source_interface>

set srcaddr <source_address>

set dstaddr <destination_address>

set action {accept | deny}

set service <service name>

set schedule <schedule_name>

set comments <string>

end

For example, you can configure a local-in policy so that only administrators can access the FortiGate unit on weekends from a specific management computer at 192.168.21.12, represented by the address object mgmt-comp1, using SSH on port 3 (192.168.21.77 represented by the address object FG-port3) using the Weekend schedule which defines the time the of access.

config firewall local-in-policy

edit <1>

set intf port3

set srcaddr mgmt-comp1

set dstaddr FG-port3

set action accept

set service SSH

set schedule Weekend

end

You can also disable a policy should there be a requirement to turn off a policy for troubleshooting or other purpose. To disable a policy enter the commands:

config firewall local-in-policy

edit <policy_number>

set status disable

end

Use the same commands with a status of enable to use the policy again.

It is also an option to dedicate the interface as HA management interface by using the setting:

set ha-mgmt-intf-only enable

Local-in policies are also supported for IPv6 by entering the command:

config firewall local-in-policy6.

tooltip icon While there is a section under Policy & Objects for viewing the existing Local In Policy configuration, policies cannot be created or edited here in the GUI. The Local In polices can only be created or edited in the CLI.