Deep Dive into the FortiGate Firewall Local-In Policy: GUI vs. CLI and What You Can & Can't Do
HTML-код
- Опубликовано: 28 сен 2022
- In this video tutorial we take a deep dive look at the FortiGate firewall's Local-In Policy semantics. We go over the GUI and the limitations to making changes as well as the fact that you don't see the default Local-In Policy in the CLI, and then demonstrate the use case of wanting to deny certain subnets or hosts from administrative connectivity to the FortiGate firewall. This is all done with a FortiGate 60-E running 7.0.6 code. Remember, you can't create custom Local-In Policies from the GUI (only the CLI) and you won't see those custom Local-In Policies in the GUI...only the CLI. The reverse is true as well: The default administrative Local-In Policy page settings can't be seen from the CLI, but you can change/modify them from under the interface section of the GUI or the 'config system interface' section in the CLI. Hope this helps you out and enjoy!
Наука
You are a Star, hope you make a good FortiGate series
Thank you so much. Your video really saved me. I google but no one can explain Local-In Policy clearly.
After a very long time, another detailed and well explained video. Thank you so much sir. Always waiting for your next video.
Great explanation :)
Thanks a ton. I have been looking for a tutorial for managing local-in policies, and yours is the best I have seen so far.
However, I wonder if you know this, because this has been impossible to find. That's the function of the 'set srcaddr-negate enable' function.
Per my understanding, this reverses the way the local-in policy works, and by default would allow only your specified addresses.
I have a few firewalls I need to put something like that in place, and I have been testing this in my lab and it appears to work how I am intending, I am just concerned with putting them on some production firewalls with as little documentation as I have been able to find.
Do you have any experience with that function? Perhaps another video already? (I'm about to scroll through your videos and check)
Thanks in advance.
Just to add to the topic - local-in-policy has an implicit ALLOW, so if you want to permit certain ranges to particular management service, you then have to create a "deny any" to that service, or use the negate function [carefully] as mentioned by @ClownzRevenge. Be very careful with local-in policies - do NOT do a "deny any any"!!!