Fortinet white logo
Fortinet white logo

Administration Guide

Local-in policies

Local-in policies

While security profiles control traffic flowing through the FortiGate, local-in policies control inbound traffic that is going to a FortiGate interface.

Administrative access traffic (HTTPS, PING, SSH, and others) can be controlled by allowing or denying the service in the interface settings. Trusted hosts can be configured under an administrator to restrict the hosts that can access the administrative service.

Local-in policies allow administrators to granularly define the source and destination addresses, interface, and services. Traffic destined for the FortiGate interface specified in the policy that meets the other criteria is subject to the policies action.

Local-in policies can be used to restrict administrative access or other services, such as VPN, that can be specified as services. You can define source addresses or address groups to restrict access from. For example, by using a geographic type address you can restrict a certain geographic set of IP addresses from accessing the FortiGate.

By default, no local-in policies are defined, so there are no restrictions on local-in traffic.

Note

Local-in policies can only be created or edited in the CLI. You can view the existing local-in policies in the GUI by enabling it in System > Feature Visibility under the Additional Features section. This page does not list the custom local-in policies.

To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6}
    edit <policy_number>
        set intf <interface>
        set srcaddr <source_address> [source_address] ...
        set dstaddr <destination_address> [destination_address] ...
        set action {accept | deny}
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set comments <string>
    next
end

For example, to prevent the source subnet 10.10.10.0/24 from pinging port1, but allow administrative access for PING on port1:

config firewall address
    edit "10.10.10.0"
        set subnet 10.10.10.0 255.255.255.0
    next
end
config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "10.10.10.0"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
end
To test the configuration:
  1. From the PC at 10.10.10.12, start a continuous ping to port1:

    ping 192.168.2.5 –t
  2. On the FortiGate, enable debug flow:

    # diagnose debug flow filter addr 10.10.10.12
    # diagnose debug flow filter proto 1
    # diagnose debug enable
    # diagnose debug flow trace start 10
    
  3. The output of the debug flow shows that traffic is dropped by local-in policy 1:

    # id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.10.10.12:1->192.168.2.5:2048) from port1. type=8, code=0, id=1, seq=128."
    id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-0017c5ad"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-192.168.2.5 via root"
    id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop"

Additional options

To disable or re-enable the local-in policy, use the set status {enable | disable} command.

To dedicate the interface as an HA management interface, use the set ha-mgmt-intf-only enable command.

TTL policies

You can configure a time-to-live (TTL) policy to block attack traffic with high TTLs. This feature only applies to local-in traffic and does not apply to traffic passing through the FortiGate. You can use srcintf to set the interface that the local-in traffic hits. See config firewall ttl-policy.

To configure a TTL policy using the CLI:
config firewall ttl-policy
    edit <id>
        set status {enable | disable}
        set action {accept | deny}
        set srcintf <interface>
        set srcaddr <source_address> [source_address] ...
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set ttl <value/range>
    next
end

Local-in policies

Local-in policies

While security profiles control traffic flowing through the FortiGate, local-in policies control inbound traffic that is going to a FortiGate interface.

Administrative access traffic (HTTPS, PING, SSH, and others) can be controlled by allowing or denying the service in the interface settings. Trusted hosts can be configured under an administrator to restrict the hosts that can access the administrative service.

Local-in policies allow administrators to granularly define the source and destination addresses, interface, and services. Traffic destined for the FortiGate interface specified in the policy that meets the other criteria is subject to the policies action.

Local-in policies can be used to restrict administrative access or other services, such as VPN, that can be specified as services. You can define source addresses or address groups to restrict access from. For example, by using a geographic type address you can restrict a certain geographic set of IP addresses from accessing the FortiGate.

By default, no local-in policies are defined, so there are no restrictions on local-in traffic.

Note

Local-in policies can only be created or edited in the CLI. You can view the existing local-in policies in the GUI by enabling it in System > Feature Visibility under the Additional Features section. This page does not list the custom local-in policies.

To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6}
    edit <policy_number>
        set intf <interface>
        set srcaddr <source_address> [source_address] ...
        set dstaddr <destination_address> [destination_address] ...
        set action {accept | deny}
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set comments <string>
    next
end

For example, to prevent the source subnet 10.10.10.0/24 from pinging port1, but allow administrative access for PING on port1:

config firewall address
    edit "10.10.10.0"
        set subnet 10.10.10.0 255.255.255.0
    next
end
config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "10.10.10.0"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
end
To test the configuration:
  1. From the PC at 10.10.10.12, start a continuous ping to port1:

    ping 192.168.2.5 –t
  2. On the FortiGate, enable debug flow:

    # diagnose debug flow filter addr 10.10.10.12
    # diagnose debug flow filter proto 1
    # diagnose debug enable
    # diagnose debug flow trace start 10
    
  3. The output of the debug flow shows that traffic is dropped by local-in policy 1:

    # id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.10.10.12:1->192.168.2.5:2048) from port1. type=8, code=0, id=1, seq=128."
    id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-0017c5ad"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-192.168.2.5 via root"
    id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop"

Additional options

To disable or re-enable the local-in policy, use the set status {enable | disable} command.

To dedicate the interface as an HA management interface, use the set ha-mgmt-intf-only enable command.

TTL policies

You can configure a time-to-live (TTL) policy to block attack traffic with high TTLs. This feature only applies to local-in traffic and does not apply to traffic passing through the FortiGate. You can use srcintf to set the interface that the local-in traffic hits. See config firewall ttl-policy.

To configure a TTL policy using the CLI:
config firewall ttl-policy
    edit <id>
        set status {enable | disable}
        set action {accept | deny}
        set srcintf <interface>
        set srcaddr <source_address> [source_address] ...
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set ttl <value/range>
    next
end