FortiGate IPsec VPN Block Verification & Incident Response

This guide covers:

  • Verifying IPsec blocks (Local-In Policy)
  • Troubleshooting failures
  • Post-compromise investigation
  • Hardening recommendations

1. Verify Local-In Policy Exists

show firewall local-in-policy

You must see:

set action deny

2. Verify Policy is Loaded in Kernel

diagnose firewall iprope list 100004

3. Monitor IKE Activity (Real-Time)

diagnose debug reset
diagnose debug application ike -1
diagnose debug enable

Disable:

diagnose debug disable

4. Packet-Level Validation

diagnose sniffer packet wan1 "port 500 or port 4500" 4

5. VPN Log Review

execute log filter category 1
execute log display

6. Post-Compromise Investigation

Check VPN logs and internal movement (RDP, SMB, SSH, DB access).

7. Kill Active Sessions

diagnose vpn ike gateway list
diagnose vpn ike gateway flush

8. Create Local-In Policy to Block IPsec Attacker

Step 1 — Create Address Object

config firewall address
edit "blocked-ip"
set subnet <ATTACKER_IP> 255.255.255.255
next
end

Step 2 — Create Local-In Policy

config firewall local-in-policy
edit 0
set intf "wan1"
set srcaddr "blocked-ip"
set dstaddr "all"
set service "IKE"
set schedule "always"
set action deny
next
end

Step 3 — (Optional) Block NAT-T (UDP 4500)

config firewall service custom
edit "NAT-T"
set udp-portrange 4500
next
end

config firewall local-in-policy
edit <policy_id>
set service "IKE" "NAT-T"
next
end

Step 4 — Verify Policy

show firewall local-in-policy

Step 5 — Confirm Active in Kernel

diagnose firewall iprope list 100004

9. Common Mistakes

  • Wrong interface
  • Missing next
  • Wrong address object
  • Not blocking UDP 4500

10. Hardening Recommendations

  • Enable MFA
  • Use IKEv2 only
  • Strong PSK or certificates
  • Restrict internal access
  • Geo-block VPN access

Final Note

Blocking a single IP is not a long-term defense. Use layered security.