2.4.6 Apply Local-in Policies

Information

Configure Local-in Policies to control inbound traffic that is destined to a FortiGate interface.

Rationale:

Local-in Policies allow for more granular and specific control of all types of traffic that are destined for a FortiGate interface. They are not limited to management-only protocols, therefore they can extend past 'trusted host' configurations and be configured with source and destination addresses as well as specific services.

Impact:

Local-in Policies are processed before 'trusted host' configurations, so it is important to validate that management access will be maintained once the Local-in policies are put in place.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Local-in Policies can only be configured through the CLI:

config firewall {local-in-policy | local-in-policy6}
edit <policy_number>
set intf <interface>
set srcaddr <source_address> [source_address] ...
set dstaddr <destination_address> [destination_address] ...
set action {accept | deny}
set service <service_name> [service_name] ...
set schedule <schedule_name>
set comments <string>
next
end

For example, to prevent the source subnet 10.10.10.0/24 from pinging port1, but allow administrative access for PING on port1:

config firewall address
edit '10.10.10.0'
set subnet 10.10.10.0 255.255.255.0
next
end
config firewall local-in-policy
edit 1
set intf 'port1'
set srcaddr '10.10.10.0'
set dstaddr 'all'
set service 'PING'
set schedule 'always'
next
end

Default Value:

There are no Local-in Policies in place by default.