前幾天在查防火牆 log 時,看到管理介面幾乎每秒鐘都在被 try 帳號密碼,看了實在很不舒服,因此剛剛就跟 AI 確認讓管理介面限制國家 IP 的做法。
這次設法跟上次 IPSec VPN 一樣,是要從 Local-In-Policy 下手,然後我這次版本是 7.2.12 在圖形介面上好像完全看不到相關選項,因此就一樣要使用指令。
【FortiGate 環境】
- 韌體版本:7.2.12
- 設定目的:只允許特定國家 IP 可以登入防火牆的管理介面。
【CLI 控制台】
這邊要注意一下,請先確認各介面、Name of objects and services,Like discovering different default firmware versions this time 0.0.0.0 The subnet name may be different,It might be called 'any',It might also be called 'all'。
config firewall local-in-policy
# Wan2 允許台灣 IP
edit 1
set intf "wan2"
set srcaddr "Region - Taiwan"
set dstaddr "all"
set action accept
set service "Firewall-Mgmt"
set schedule "always"
next
# Wan2 拒絕所有 IP
edit 2
set intf "wan2"
set srcaddr "all"
set dstaddr "all"
set service "Firewall-Mgmt"
set schedule "always"
next
# Wan1 允許台灣 IP
edit 3
set intf "wan1"
set srcaddr "Region - Taiwan"
set dstaddr "all"
set action accept
set service "Firewall-Mgmt"
set schedule "always"
next
# Wan1 拒絕所有 IP
edit 4
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "Firewall-Mgmt"
set schedule "always"
next
end
Check the final configuration result
show firewall local-in-policy
<Related Links>
- Laosen's IT Tales » FortiGate IPSec VPN restricts connections from specific country IPs
Leave a Reply