Hot!60E - Block traffic coming into firewall itself

Author
train_wreck
Bronze Member
  • Total Posts : 42
  • Scores: -2
  • Reward points: 0
  • Joined: 2018/01/11 19:58:09
  • Status: offline
2020/04/09 03:51:33 (permalink)
0

60E - Block traffic coming into firewall itself

I am getting hammered by a particular IP address on the WAN interface trying to brute force IPsec VPN (UDP port 500). How do I block traffic inbound to the device itself? I tried adding an IPv4 policy item with source & destination interface of "WAN1", a source address of the offending address, and a destination address of all. This did not work.
 
Cisco calls this the "control plane" traffic, which can be filtered just like regular interface access lists. Is this possible to do with Fortinet?
 
OS 6.0.
#1

6 Replies Related Threads

    Markus
    Platinum Member
    • Total Posts : 242
    • Scores: 38
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/09 04:15:50 (permalink)
    #2
    train_wreck
    Bronze Member
    • Total Posts : 42
    • Scores: -2
    • Reward points: 0
    • Joined: 2018/01/11 19:58:09
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/09 04:21:14 (permalink)
    1 (1)
    Wow. According to that post, there is currently not a way to block inbound UDP port 500 or 4500 on an IP basis. This is something Cisco has no problem doing......
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6350
    • Scores: 537
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/09 04:38:54 (permalink)
    0
    What?
    config firewall local-in-policy
        edit 1
            set intf "wan1"
            set srcaddr "VPN_origin_countries"
            set dstaddr "all"
            set action accept
            set service "IKE"
            set schedule "always"
        next
    end

    works perfectly. Explained: only those IP addresses contained in address group "VPN_origin_countries" will be allowed to open IPsec negotiations.
    Augment the service with a service group containing further protocols, like ESP and AH.
    Finally, block "ALL" services from "any" address from accessing the FGT.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    lobstercreed
    Gold Member
    • Total Posts : 256
    • Scores: 34
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/09 05:30:04 (permalink)
    0
    Wil,
     
    I wonder if you didn't read the whole post that Markus shared.  This is the full thread: https://forum.fortinet.com/tm.aspx?m=177311
     
    OP "tripley" said that he did what was suggested and it solved his problem, so I'm not sure why you got out of it that it was unfixable...
     
    - Daniel
    #5
    tanr
    Platinum Member
    • Total Posts : 802
    • Scores: 36
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/09 16:44:20 (permalink)
    0
    Note that your logs might not be showing the true picture for local-in and IKE.  That is, you may get invalid logs showing that something made it past local-in when in fact it did not.
     
    See bug #0515255 and https://forum.fortinet.com/tm.aspx?m=166107 for details.
    #6
    shlomi
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/15 12:02:30
    • Status: offline
    Re: 60E - Block traffic coming into firewall itself 2020/04/15 12:45:56 (permalink)
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5