Technical Tip: Using multiple IP addresses or address groups to filter source or destination in a single firewall policy
Description
This article describes a solution to limit the number of Firewall Policies by grouping IP addresses if the same filtering rule(s) can be applied to those addresses.
Scenario
Internet SMTP Server1 === external [ FortiGate] internal ==
Internet SMTP Server2 ===
Internet SMTP Server3 ===
All 3 servers are subject to the same Firewall Rule on the FortiGate, from external to internal.
Solution
There are three solutions to set the firewall policies for this scenario (the rule will be based on the 3 source IP addresses):
- Create as many distinct firewall policies with distinct source address in each.
- Create a single firewall policy with multiple sources (example 1).
- Create an address group that can be used in a single firewall policy (example 2).
Example 1
| config firewall address edit "Internet_SMTP1" endset subnet <IPaddress1 Mask1> nextedit "Internet_SMTP2" set subnet <IPaddress2 Mask2> nextedit "Internet_SMTP3" set subnet <IPaddress3 Mask3> nextconfig firewall policy edit 0 endset srcintf "external" nextset dstintf "internal" set srcaddr "Internet_SMTP1" "Internet_SMTP2" "Internet_SMTP3" <set all the rest based on your requirements> |
Example 2
| config firewall address edit "Internet_SMTP1" endset subnet <IPaddress1 Mask1> nextedit "Internet_SMTP2" set subnet <IPaddress2 Mask2> nextedit "Internet_SMTP3" set subnet <IPaddress3 Mask3> nextconfig firewall addrgrp edit "External_SMTP_servers" endset member "Internet_SMTP1" "Internet_SMTP2" "Internet_SMTP3" nextconfig firewall policy edit 0 endset srcintf "external" nextset dstintf "internal" set srcaddr "External_SMTP_servers" <set all the rest based on your requirements> |
Related Articles