- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Local-in priority
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local-in priority
Hi all,
I have some doubts regarding local-in policies. I'll try to explain, maybe I'll add any further information if required.
I've created an address group with some ip addresses in order to prevent scanning and other not allowed requests. I've some firewall policies that deny to forward traffic from the banned group via wan to the internal interfaces and a local-in policy that block any action from the banned group:
config firewall policy edit 50 set name "WebServer-bannedIPs" set srcintf "virtual-wan-link" set dstintf "port2" set srcaddr "bannedips" set dstaddr "WebServer_http" "WebServer_https" set action deny set schedule "always" set service "ALL" set logtraffic all next
config firewall local-in-policy
edit 101 set intf "wan1" set srcaddr "bannedips" set dstaddr "all" set action deny set service "ALL" set schedule "always" set status enable next
Viewing logs, I can find banned ips that are blocked by the local-in policy (101) if they try to connect to unspecified ports, but if they try to connect to port 443 they match the firewall policy (50). I'll paste logs below:
date=2019-02-15 time=16:57:02 logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1550246222 srcip=bannedip srcport=59644 srcintf="wan1" srcintfrole="wan" dstip=externalip dstport=17070 dstintf="root" dstintfrole="undefined" sessionid=6047806 proto=6 action="deny" policyid=101 policytype="local-in-policy" service="tcp/17070" dstcountry="Italy" srccountry="Netherlands" trandisp="noop" app="tcp/17070" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
date=2019-02-15 time=05:03:23 devname=FG200 devid=FG200 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1550203402 srcip=bannedip srcport=50000 srcintf=wan1 srcintfrole="undefined" dstip=externalip dstport=443 dstintf="port2" dstintfrole="dmz" sessionid=4625888 proto=6 action="deny" policyid=50 policytype="policy" service="HTTPS" dstcountry="Italy" srccountry="United States" trandisp="dnat" tranip=internalip tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
Could you help me to understand how policy priority works, please? How can I match the local-in policy before the firewall policy?
Thanks in advance,
Tommaso
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how I think it would work (somebody would correct me if wrong) based on below reference.
When a packet arrives at an interface it checks "through-traffic" regular policy first if the should be passed and go out through another interface. If not, check the "allowaccess" config on the interface then local-in policies (or as in the description those allowaccesses are merged with local-in policies).
So in your case, I think you need to use "access-list" instead, which is probably checked against before these policies.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think what's happening wan1 probably has a VIP defined , OP is that true? Are "WebServer_http" "WebServer_https" VIPS
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for replying, Ken. You're right, they are VIPs. Does it change anything?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Toshi,
but with access-list I'm only able to have a whitelist, am I? If you're right about local-in, these policies stand right above the deny all and below the firewall policies. I'm going to have some further tests.
Related Posts
- Configuring HA with VDOM Partitioning: Determining... 201 Views
- Load Balance over IPSec Tunnels within... 263 Views
- SDWAN IPsec Priority 285 Views
- Priority between policy and virtual IP... 295 Views
- Fortigate 60F Sending Wrong LOGS to... 274 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,302 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.