Internet service as source addresses in the local-in policy 7.4.4
|
This information is also available in the FortiOS 7.4 Administration Guide: |
An internet service can be used as the source address in a local-in policy. This allows for more flexibility and control when managing local traffic, enhancing network security and efficiency.
config firewall local-in-policy
edit <id>
set internet-service-src {enable | disable}
set internet-service-src-name <string>
set internet-service-src-group <string>
set internet-service-src-custom <string>
set internet-service-src-custom-group <string>
set internet-service-src-negate {enable | disable}
next
end
|
internet-service-src {enable | disable} |
Enable/disable use of Internet Services in source for this local-in policy. If enabled, the source address is not used. |
|
internet-service-src-name <string> |
Internet Service source name. |
|
internet-service-src-group <string> |
Internet Service source group name. |
|
internet-service-src-custom <string> |
Custom Internet Service source name. |
|
internet-service-src-custom-group <string> |
Custom Internet Service source group name. |
|
internet-service-src-negate {enable | disable} |
When enabled, |
In this example, the internet service Malicious-Malicious.Server is applied in local-in policy. Packets then sent to the FortiGate from a client with an IP address that belongs to that internet service. The local-in policy should block the packet.
To configure the local-in policy, send a packet, and then check the results:
-
Apply the Malicious-Malicious.Server internet service in the local-in policy:
config firewall local-in-policy edit 1 set intf "port3" set dstaddr "all" set internet-service-src enable set internet-service-src-name "Malicious-Malicious.Server" set service "ALL_ICMP" "ALL_TCP" set schedule "always" next end -
Configure the interface used in the local-in policy to allow ping, HTTPS, and SSH access:
config system interface edit "port3" set vdom "vdom1" set ip 10.2.2.2 255.255.255.0 set allowaccess ping https ssh set type physical set device-identification enable set snmp-index 5 next end -
Enable local-in-deny-unicast logging so that the policy blocking results can be checked:
config log setting set local-in-deny-unicast enable end -
Send packets from the client IP address 1.0.1.21, which belongs to the Malicious-Malicious.Server internet service. The packet will hit the local-in policy and the FortiGate will not respond for incoming ICMP or SSH packets.
# diagnose sniffer packet any icmp 4 interfaces=[any] filters=[icmp] 34.814391 port3 in 1.0.1.21 -> 10.2.2.2: icmp: echo request 35.814252 port3 in 1.0.1.21 -> 10.2.2.2: icmp: echo request 36.814121 port3 in 1.0.1.21 -> 10.2.2.2: icmp: echo request 37.813983 port3 in 1.0.1.21 -> 10.2.2.2: icmp: echo request 38.813847 port3 in 1.0.1.21 -> 10.2.2.2: icmp: echo request ^C 5 packets received by filter 0 packets dropped by kernel
# diagnose sniffer packet any 'tcp and port 22' 4 interfaces=[any] filters=[tcp and port 22] 5.988037 port3 in 1.0.1.21.21102 -> 10.2.2.2.22: syn 2964400061 6.985778 port3 in 1.0.1.21.21102 -> 10.2.2.2.22: syn 2964400061 8.986481 port3 in 1.0.1.21.21102 -> 10.2.2.2.22: syn 2964400061 12.997883 port3 in 1.0.1.21.21102 -> 10.2.2.2.22: syn 2964400061 ^C 4 packets received by filter 0 packets dropped by kernel
-
Check the local-in traffic log to confirm that the ICMP and SSH packets were blocked:
1: date=2024-04-08 time=15:14:38 eventtime=1712643278466511132 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1" srcip=1.0.1.21 identifier=1 srcintf="port3" srcintfrole="undefined" dstip=10.2.2.2 dstintf="vdom1" dstintfrole="undefined" srcinetsvc="Malicious-Malicious.Server" srccountry="China" srcregion="Fujian" srccity="Sanming" dstcountry="Reserved" sessionid=29356 proto=1 action="deny" policyid=1 policytype="local-in-policy" poluuid="dd003848-f633-51ee-7dad-cc8be11d188e" service="icmp" trandisp="noop" app="icmp" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" msg="Connection Failed" srchwvendor="Fortinet" devtype="Unknown" osname="Unknown" mastersrcmac="70:4c:a5:97:d9:26" srcmac="70:4c:a5:97:d9:26" srcserver=0
6: date=2024-04-08 time=15:09:30 eventtime=1712642970682804537 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1" srcip=1.0.1.21 srcport=21102 srcintf="port3" srcintfrole="undefined" dstip=10.2.2.2 dstport=22 dstintf="vdom1" dstintfrole="undefined" srcinetsvc="Malicious-Malicious.Server" srccountry="China" dstcountry="Reserved" sessionid=29240 proto=6 action="deny" policyid=1 policytype="local-in-policy" poluuid="dd003848-f633-51ee-7dad-cc8be11d188e" service="SSH" trandisp="noop" app="Console Management(SSH)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" msg="Connection Failed" srchwvendor="Fortinet" devtype="Unknown" osname="Unknown" mastersrcmac="70:4c:a5:97:d9:26" srcmac="70:4c:a5:97:d9:26" srcserver=0