Technical Tip: How to allow a port
Description
This article describes how to allow a port on a FortiGate.
By default, the FortiGate firewall denies all traffic passing through it on all ports due to a pre-configured 'implicit deny policy'.
Scope
FortiGate.
Solution
To allow any traffic through FortiGate on any port, configure the IPv4 policy with the 'action' set to 'Accept/Permit'.
Below is an example of how to allow the RDP port 3389 traffic through FortiGate:
Step 1:
Create the 'Service' Object for the port that needs to be allowed under Policy and Object -> Services.
If it is the standard port, there are predefined service objects under the' service list'.
If not, configure the 'Service' Object under Policy and Object -> Services -> Create New -> Service.
config firewall service custom
edit "RDP_Port"
set category "Remote Access"
set tcp-portrange 3389 3389
next
end
To create a policy, navigate to Policy and Object -> IPv4 Policy -> Create New.
edit 11
set name "Allow_RDP"
set uuid 902f509c-8249-51ef-9cd2-05d76de7c7d2
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "RDP_Port"
set logtraffic all
set nat enable
next
filters=[tcp port 3389 or udp port 3389]
1.427148 port1 in 10.143.3.189.64958 -> 10.5.41.48.3389: syn 2923297620 <- Packet enters on FortiGate Port1 (ingress).
1.427148 port2 out 10.143.3.189.64958 -> 10.5.41.48.3389: syn 2923297620 <- Packet is leaving on port 2 (egress).
Notes:
- Place this specific policy on top of all other general policies.
- If it is required to block the specific port, the steps are the same except with the 'action' set to 'Deny'.
- Configure a Virtual IP (VIP) to allow or deny access to an internal service through FortiGate when the service is hosted on a device behind the FortiGate.
- Use Local-In Policy to allow or block specific incoming ports targeting FortiGate’s IP.