Attendance 2025 After the Information Security Conference,I feel that the protection policy of restricting the source of IP still has a certain effect,Therefore, we are evaluating adding relevant settings to the existing FortiGate VPN。First, it has been confirmed that FortiGate can set up address objects with Country/Geographic Address as recognition,Therefore, the follow-up is left with the setting and application of relevant policies。
Originally, AI suggested that you could set the WAN → IPSec in the Firewall Policy to filter,But the actual test did not stand in the way,Guess it's because when an IPSec VPN is built,FortiGate will provide a statement in the Incoming Native Traffic Policy (Local-In)to add a policy,Allowing any IP to connect via IPSec invalidates the Firewall Policy,Therefore, if you want to block it,It's time to start with this Local In Policy。
My firmware version is 7.4.7,in the graphical interface,Local In Policy can only be viewed,It cannot be moved,Therefore, after establishing the address object of the relevant country,The next step is to go to the CLI Console,Perform Local In Policy changes by command。
(According to the official instructions,7.6.0 It can then be set up via the GUI。)
【FortiGate Environment】
- Firmware version:7.4.7
- VPN connection method:IPSec
- Set a purpose:Only certain country IPs are allowed to connect to IPSec VPN。
CLI Console
Let's start with that,In terms of priority,Often, you may set the rules that allow you first,Then set to reject All,But because I want to make sure that Deny All has a validity first,So I'll set the rules for Deny first,Wait until everything is set up and then use move to adjust the order of the policies。
1. All IP connections are denied to IPSec VPN
config firewall local-in-policy
edit 1
set intf "virtual-wan-link" # virtual-wan-link 為 Interface 的名稱
set srcaddr "all"
set dstaddr "all"
set action deny
set service "IKE" "ESP"
set schedule "always"
next
end
2. Allow specific country IPs to connect to IPSec VPN
config firewall local-in-policy
edit 2
set intf "virtual-wan-link"
set srcaddr "Country-Allow"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"
next
end
3. Adjust the local-in-policy order
config firewall local-in-policy move 2 before 1 end
4. Check the results of the last settings
show firewall local-in-policy
【Fan Wai Pian】
in the process of testing,If you want to observe the traffic status,This can be done by following instructions。
1. Observe any entry with a sniffer 500, 4500 port
diag sniffer packet any 'port 500 or port 4500' 4 # 4 最詳細,1 最簡單 // 按 CTRL + C 結束
2. Observe the source with debug mode 123.123.123.123 before 100 Pen traffic
diag debug reset diag debug flow filter addr 123.123.123.123 diag debug flow trace start 100 diag debug enable diag debug disable diag debug reset
3. Observe IKE traffic in debug mode
diag debug reset diag debug console timestamp enable diag debug application ike -1 # 等級從 1 ~ 15,-1 代表最詳細 diag debug enable diag debug disable diag debug reset
"Related Links"
- Introduction and setting of FortiGate-Local-in policy – Andy's IT technology sharing website
- How to move the order local-in policy For… – Fortinet Community
