Deep Dive into the FortiGate Firewall Local-In Policy: GUI vs. CLI and What You Can & Can't Do

No video

Deep Dive into the FortiGate Firewall Local-In Policy: GUI vs. CLI and What You Can & Can't Do

Рет қаралды 6,563

Күн бұрын

In this video tutorial we take a deep dive look at the FortiGate firewall's Local-In Policy semantics. We go over the GUI and the limitations to making changes as well as the fact that you don't see the default Local-In Policy in the CLI, and then demonstrate the use case of wanting to deny certain subnets or hosts from administrative connectivity to the FortiGate firewall. This is all done with a FortiGate 60-E running 7.0.6 code. Remember, you can't create custom Local-In Policies from the GUI (only the CLI) and you won't see those custom Local-In Policies in the GUI...only the CLI. The reverse is true as well: The default administrative Local-In Policy page settings can't be seen from the CLI, but you can change/modify them from under the interface section of the GUI or the 'config system interface' section in the CLI. Hope this helps you out and enjoy!

Пікірлер: 6

@om-ty3jf Жыл бұрын

You are a Star, hope you make a good FortiGate series

@ghulamrasool3311 Жыл бұрын

After a very long time, another detailed and well explained video. Thank you so much sir. Always waiting for your next video.

@damiannaziomek8714 5 ай бұрын

Great explanation :)

@ClownzRevenge Жыл бұрын

Thanks a ton. I have been looking for a tutorial for managing local-in policies, and yours is the best I have seen so far. However, I wonder if you know this, because this has been impossible to find. That's the function of the 'set srcaddr-negate enable' function. Per my understanding, this reverses the way the local-in policy works, and by default would allow only your specified addresses. I have a few firewalls I need to put something like that in place, and I have been testing this in my lab and it appears to work how I am intending, I am just concerned with putting them on some production firewalls with as little documentation as I have been able to find. Do you have any experience with that function? Perhaps another video already? (I'm about to scroll through your videos and check) Thanks in advance.

@georgexu8196 6 ай бұрын

Thank you so much. Your video really saved me. I google but no one can explain Local-In Policy clearly.

@mustdobetter6748 Жыл бұрын

Just to add to the topic - local-in-policy has an implicit ALLOW, so if you want to permit certain ranges to particular management service, you then have to create a "deny any" to that service, or use the negate function [carefully] as mentioned by @ClownzRevenge. Be very careful with local-in policies - do NOT do a "deny any any"!!!