Restrict access to VPN Tunnel Terminator | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Cookbook, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!Restrict access to VPN Tunnel Terminator

Author Post Essentials Only Full Version
Stuart Kendrick New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2017/11/19 05:27:19 Location: Seattle, WA USA Status: offline 2018/04/12 11:28:02 (permalink) 0 Restrict access to VPN Tunnel Terminator I have a VPN tunnel to Azure. In the logs, I see random sites attempting Phase I with the VPN Tunnel interface on the Fortigate. They fail of course, as they aren't sourced from the specified IP address nor do they have the pre-shared key. But I don't enjoy seeing these messages in the logs. How might I go about applying a Policy to prevent these packets from even reaching the IPSec VPN Tunnel interface? As I poke around, I'm realizing that I don't even know how FortiOS handles this -- I don't see any IPv4 Policy which permits IKE / ESP to my tunnel interface. I do see Local In Policies which seem to permit UDP 500 / 4500 / 1701 to any interface. And IPv4 Access Control List doesn't seem to be granular enough -- only supports Denies -- no Allows. Is Local In Policy the place to start, in terms of attempting to lock this down? --sk #1 5 Replies Related Threads
Markus Silver Member Total Posts : 91 Scores: 8 Reward points: 0 Joined: 2015/03/19 07:30:23 Location: Switzerland Status: offline Re: Restrict access to VPN Tunnel Terminator 2018/04/12 22:45:32 (permalink) 0 Hi, Welcome to the Forums. Yes, the Local In Policy is the place, but you have to use CLI. Take a look at this Tread https://forum.fortinet.com/tm.aspx?m=148259&tree=true Best, Markus #2
Stuart Kendrick New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2017/11/19 05:27:19 Location: Seattle, WA USA Status: offline Re: Restrict access to VPN Tunnel Terminator 2018/04/16 05:38:10 (permalink) 0 Ahh, I see. Thank you for the pointer. For reference, here is what I did: config firewall local-in-policy edit 1 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "Remote Azure VPN Gateway" set dstaddr "Local Azure VPN Gateway" set action accept set service "IKE" set schedule "always" set status enable next edit 2 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "Remote Azure VPN Gateway" set dstaddr "Local Azure VPN Gateway" set action accept set service "ESP" set schedule "always" set status enable next edit 3 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "all" set dstaddr "Local Azure VPN Gateway" set action deny set service "IKE" set schedule "always" set status enable next edit 4 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "all" set dstaddr "Local Azure VPN Gateway" set action deny set service "ESP" set schedule "always" set status enable next end #3
Markus Silver Member Total Posts : 91 Scores: 8 Reward points: 0 Joined: 2015/03/19 07:30:23 Location: Switzerland Status: offline Re: Restrict access to VPN Tunnel Terminator 2018/04/16 07:03:37 (permalink) 0 Good to hear and thanks for sharing! #4
emnoc Expert Member Total Posts : 4727 Scores: 280 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Restrict access to VPN Tunnel Terminator 2018/04/16 07:50:10 (permalink) 0 Could you have just set the dst_addr to ALL edit 3 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "all" set dstaddr "all" set action deny set service "IKE" set schedule "always" set status enable next edit 4 set ha-mgmt-intf-only disable set intf "AzureVPN" set srcaddr "all" set dstaddr "all" set action deny set service "ESP" set schedule "always" set status enable next end PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web #5
Stuart Kendrick New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2017/11/19 05:27:19 Location: Seattle, WA USA Status: offline Re: Restrict access to VPN Tunnel Terminator 2018/04/17 03:47:35 (permalink) 0 Yes, good point, that would seem to work just fine #6

Jump to:

© 2018 APG vNext Commercial Version 5.5