Enhanced security with default local-in policy 7.6.1
A default local-in policy has been added with internet service source enabled for Malicious-Malicious.Server, Tor-Exit.Node, and Tor-Relay.Node ISDB sources. This policy is designed to utilize these three sources to identify known malicious threat actors and prevent them from accessing any interface on the FortiGate on any service and port.
The new default local-in policy is automatically added when a FortiGate is in factory default setting, or a new VDOM is created. Resetting your device to factory default settings in not recommended, so you can manually add the policy on FortiOS versions that support ISDB as a local-in policy source (7.4.4 and higher). See Local-In policy for details.
To manually add the policy:
config firewall local-in-policy
edit 1
set intf "any"
set dstaddr "all"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server" "Tor-Exit.Node" "Tor-Relay.Node"
set service "ALL"
set schedule "always"
next
end
To view the malicious sources that are blocked:
-
Go to Policy & Objects > Internet Service Database and select the Internet Service tab.
-
Search for Malicious-Malicious.Server, Tor-Exit.Node, or Tor-Relay.Node.
-
Hover over the entry and, in the pop-up, click View/Edit Entries.
The listed addresses are the sources that will be blocked.
Example
In this example, the default local-in policy is used to protect the FortiGate management interface (port1) from large-scale, brute force attacks originating from various malicious networks.
The following steps will be completed:
-
Enable VDOMs.
-
Configure a new VDOM.
-
View the default local-in policy.
-
Move the management interface to newly created VDOM.
Enable VDOMS
To enable VDOMs in the GUI:
-
Go to System > Settings.
-
In the System Operation Settings sections, enable Virtual Domains.
-
Click OK.
You will be logged out of the device when the VDOM mode is enabled. Not all devices support enabling VDOMs using the GUI.
To enable VDOMs in the CLI:
config system global
set vdom-mode multi-vdom
end
You will be logged out of the device when the VDOM mode is enabled.
Configure a new VDOM
|
Most FortiGate devices support 10 VDOMs be default. Many models also support purchasing a license key to increase the maximum number of VDOMs. Some exceptions may apply. |
To configure a VDOM in the GUI:
-
Go to System > VDOM.
-
Click Create New.
-
Enter a Virtual Domain name, such as mgmt, and set the Type to Traffic.
-
Click OK.
A pop-up warning will appear, click OK to confirm.
To configure a VDOM in the CLI:
config vdom
edit mgmt
config system settings
set vdom-type traffic
end
next
end
View the default local-in policy
To view the local-in policy in the GUI:
-
In the mgmt VDOM, go to Policy & Objects > Local-In Policy. If Local-In-Policy is not visible in the tree menu, go to System > Feature Visibility to enable it.
To view the local-in policy in the CLI:
# show firewall local-in-policy 1
config firewall local-in-policy
edit 1
set uuid 2ab7****-****...
set intf "any"
set dstaddr "all"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server" "Tor-Exit.Node" "Tor-Relay.Node"
set service "ALL"
set schedule "always"
next
end
Assign interfaces to a VDOM
An interface can only be assigned to one VDOM, and cannot be moved if it is referenced in an existing configuration.
|
In the GUI, the interface list Ref. column shows if the interface is referenced in an existing configuration and allows you to quickly access and edit those references. |
To assign an interface to a VDOM in the GUI:
-
In the Global VDOM, go to Network > Interfaces.
-
Select the interface that will be assigned to a VDOM, such as port1, and click Edit.
-
Select the VDOM that the interface will be assigned to from the Virtual Domain list, such as mgmt.
-
Click OK.
To assign an interface to a VDOM in the CLI:
config global
config system interface
edit port1
set vdom mgmt
next
end
end