Hot!Allow ping access from a specific ip only

Author
danfor443
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/17 00:55:06
  • Status: offline
2020/06/29 03:51:13 (permalink)
0

Allow ping access from a specific ip only

Hello everyone
 
the goal is that Nagios Monitoring from the Headquarter can Ping the branch Fortigates on there external Interface IP respectivley their public IP.
 
If i allow the "PING" Service in the GUI under -> Interfaces -> <WAN> than it works.
But then everyone may Ping my external Interface.
 
So i want to limit access and found the article "https://kb.fortinet.com/kb/documentLink.do?externalID=FD44156" which describes exactly what i need... but it won't work.
 
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
 
 
***** The local-in Policy as described in the KB Article ******
config firewall local-in-policy
edit 1
set intf "wan2"
set srcaddr "trusted-1"
set dstaddr "all"
set action accept
set service "PING"
set schedule "always"
set status enable
next
end
 
while "trusted-1" == 12.12.12.12 /32  (of course i changed the original source IP)
And "wan2" is the correct interface here.
************************************************************
 
 
 
 
***** Here the syslog if i try a PING from IP 12.12.12.12******
Jun 29 12:09:54 xxxxx date=2020-06-29 time=12:09:10 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593425350 srcip=12.12.12.12 srcintf="wan2" srcintfrole="wan" dstip=34.34.34.34 dstintf="root" dstintfrole="undefined" sessionid=65326605 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
 
Here i see "deny and policyid=0 and policytype=local-in-policy".
************************************************************
 
 
 
 
 
***** Or here the log from "diagnose sniffer packet wan2 'host 12.12.12.12 and icmp' 4 0 1" ******
8.880774 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
9.889553 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
10.899540 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
11.909555 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
12.919622 wan2 -- 12.12.12.12 -> 34.34.34.34: icmp: echo request
 
As you see no reply is working.
************************************************************
 
 
The routing table is set correctly.
If i enable PING over GUI on the WAN2 interface, it immediately works.
 
So problem seems to be the local-in-policy ?!
 
Can anybody help me?
Someone had the same problem?
 
Best Regards
Danfor
post edited by danfor443 - 2020/06/29 04:45:02
#1

7 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6350
    • Scores: 537
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/06/29 04:38:26 (permalink)
    0
    set status disable
    ...seen this?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    danfor443
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/17 00:55:06
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/06/29 04:44:30 (permalink)
    0
    Hi Ede,
     
    oh sorry, this is just because i made some troubleshooting and copied this part after i disabled it.
    Sorry, confusing.
    But it doesn't work with "set status enable".
    #3
    oscar37
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/12 05:28:35
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/06/29 08:11:42 (permalink)
    0
    Hi,
     
    Try this ,
     
    config firewall local-in-policy

        edit 1

            set intf "wan1"

            set srcaddr "YOUR TRUSTED IP"

            set dstaddr "all"

            set action accept

            set service "ALL_ICMP"

            set schedule "always"

        next

        edit 2

            set intf "wan1"

            set srcaddr "all"

            set dstaddr "all"

            set service "ALL_ICMP"

            set schedule "always"

        next

    end
     
    I have been using this for a while now and it has always worked for me.
     
     
     
    #4
    danfor443
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/17 00:55:06
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/06/29 13:07:40 (permalink)
    0
    Hi Oscar,
     
    thank you for your post.
     
    Hmmmm interesting....  actually it is still not working but:
     
    I made the config as you described:
     
    XXXXX (local-in-policy) # edit 1
    XXXXX (1) # get
    policyid            : 1
    intf                : wan2
    srcaddr             : "trusted-1"
    dstaddr             : "all"
    action              : accept
    service             : "ALL_ICMP"
    schedule            : always
    status              : enable
    comments            :

    XXXXX (local-in-policy) # edit 2
    XXXXX (2) # get
    policyid            : 2
    intf                : wan2
    srcaddr             : "all"
    dstaddr             : "all"
    action              : deny
    service             : "ALL_ICMP"
    schedule            : always
    status              : enable
    comments            :


     
    Now in the syslog i see the same as before:
     
    ...deny, policyid=0, local-in-policy,.....
     
    Jun 29 21:58:55 xxxxx date=2020-06-29 time=21:58:09 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460689 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67085042 proto=1 action="deny" policyid=0 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
     
     
    If i disable local-policy 1 (which should allow the ping):
     
    ...deny, policyid=2, local-in-policy,.....    <-- it says policyid=2   
    That means local-policy (2) works if i disable local-policy (1).
    But local-policy (2) doesn't work if i enable local-policy (1)....   instead policyid (0) is working....
    Strange behavior, i guess.
     
    Jun 29 21:59:49 xxxxx date=2020-06-29 time=21:59:03 devname="xxxxx" devid="xxxxx" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1593460743 srcip=62.157.187.218 srcintf="wan2" srcintfrole="wan" dstip=195.145.57.147 dstintf="root" dstintfrole="undefined" sessionid=67087264 proto=1 action="deny" policyid=2 policytype="local-in-policy" service="PING" dstcountry="Germany" srccountry="Germany" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
     
     
    Do i have to enable local-policies configured over CLI or something like that?
     
    Thank you people for reading and helping!
    #5
    oscar37
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/12 05:28:35
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/06/30 11:51:22 (permalink)
    0
    that's strange. This worked for me every time.
     
    Another options is , create a loopback interface and add VIP to it.   In policy allow ICMP only from your trusted host.
     
     
    Thank You,
     
    Oscar
     
     
     
    #6
    danfor443
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/17 00:55:06
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/07/02 08:15:51 (permalink)
    0
    OK i have the solution.
     
    If i enable PING on the GUI the first time, everyone can now Ping this interface.
    NOW i can make the configuration like Oscar. After that only "set srcaddr 'YOUR TRUSTED IP'" can Ping the Interface.
    Problem solved.
     
    My missunderstanding was that i thought as long as i enable PING on the GUI -> everyone can Ping that interface.
    Furthermore i thought i need to create the local-in-policy INSTEAD of enabling the PING on the GUI.
     
    Now i know: enabling PING on the GUI it is like activating the service.
    After that i have to create local-in-policies to limit access. Than it works.
     
     
    Thank you guys for helping!
    Learned something again.
     
    Greetings
    Danfor
    #7
    ede_pfau
    Expert Member
    • Total Posts : 6350
    • Scores: 537
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Allow ping access from a specific ip only 2020/07/05 08:10:27 (permalink)
    0
    Actually, FortiOS is creating local-in policies for you if you enable Trusted Hosts. It's one and the same thing but TH is a shortcut config. If you enable the feature 'Local policies' in System > Features, you can see these policies.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5