Skip to main content
slarabee
slarabee
New Member
November 14, 2016
Question

Firewall Policies Not Applying Properly to VIP (Fortigate 100A)

  • November 14, 2016
  • 2 replies
  • 8352 views

Hello All,

I have a Fortigate 100A (yeah I know it's old but it is in great shape with low hours on it). Firmware VersionFortigate-100A 3.00,build0247,060417

 

I have a virtual IP set up to allow access to our mail server on the inside and created Firewall policies to allow SMTP traffic to pass through to the email server inside IP.

 

The only problem is that no matter what I do it will not work unless I add TCP to the list of services in the policy and that opens up all the ports. I have tried everything I can to set deny rules etc... but nothing works.

 

Really need some guidance on this one as I come from Cisco and I am trying to get a handle on what is happening with the firewall policies and why I cannot seem to open ports selectively.

 

I tries to reorder them putting the restrictive policies at the top or the bottom of the list but nothing seems to work.

 

Thanks in advance.

 

Sean

    2 replies

    slarabee
    slarabeeAuthor
    New Member
    November 15, 2016

    I ended up finding the solution.

     

    When setting up Custom Service ports under Services in the Firewall tab, you need to make sure that you set the source port to High 1 Low 65535 and then set the destination port to the whatever you desire to allow through the firewall (in my case port 26 and 587).

     

    I hope this helps anyone else running into the same issue.

     

    Sean

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 15, 2016

    hi,

    and welcome to the forums.

     

    Usually, for a specific forwarding like this, you would use a port forwarding VIP. This opens one port only, not the 'service' choice in the policy.

    A VIP is twofold: 1- a destination NAT and 2- arp proxy. The FGT will react to connection attempts on those forwarded ports only. If you need multiple ports, create one VIP for each and put them into a VIP group which you then use in a policy 'wan' -> 'internal'. Best practice: if you can use port forwarding VIPs to minimize the attack surface. Note that you cannot test a pfVIP (new word!) with 'ping' (obviously).

     

    Getting a DENY policy to work in presence of a VIP policy is not straightforward. You can find an interesting thread here in the forum. But I don't think that this is the source of your problem.

     

    Which then leads to my question: could you please post the VIP definition and the corresponding policy (text, from the CLI, if possible)? I don't quite understand what you mean with 'adding TCP' as SMTP already is a TCP protocol. We'll see.

    slarabee
    slarabeeAuthor
    New Member
    November 15, 2016

    Ede,

     

    Thank you for your reply and the info.

     

    I just meant that when I created the firewall policy my custom services would not work unless I added TCP to the services under in the policy, which that service TCP opens all of the TCP ports up wide, which would be helpful if the Fortigate was already behind a firewall and you wanted to open everything up between your LANS, but not so good if you are WAN facing like my situation. The failure was happening because I was creating the custom services wrong.

     

    I am in the middle of about 3 deployments right now and so slammed, but when I get time I will post a little more detail about how I configure it all.

     

    Thanks again,

     

    Sean

    slarabee
    slarabeeAuthor
    New Member
    November 15, 2016

    Ede,

    My config is pretty straight forward:

     

    I have DUAL WAN connections both serving the office for redundancy.

    I have an internal Exchange Server. It serves POP3, IMAP / SMTP OWA and also VPN Exchange connections.

     

    I created VIPs for both external IP addresses of the email server mapping to the same internal IP Address.

     

    I then created Custom Services for the alt smtp ports 26 and 587. Port 25 is used by only our spam filtering service as all inbound mail goes through their server first. So my Exchange Connection Control is limited to port 25 connections only from their servers.

     

    I then created Service Groups (under Firewall > Services) 1. SpamFilter - SMTP 2. POP3Users SMTP-26,SMTP-587,IMAP,POP3,HTTPS

     

    I then created Firewall Policies:

     

    wan -> internal

              SRC            Dest                       Sched     Service                 Action     7     all               Enterprise Wan 2     always     POP3_Users         ACCEPT     3     SpamFilter   Enterprise Wan 2     always     SpamFilter_Ports  ACCEPT

     

    Also to further lock down SMTP 25 to my spam filter services server I created an Address Group with only the Spam Filter servier's IP Addresses in it, and set that in the Source of that policy.

     

    I ran port scans and test connects on everything and it is locked down so I think I am good.

     

    The only issue I was having was that I had set the Custom Service ports up incorrectly, once I fixed that everything worked as it should.

     

    Thanks again for your insights.

     

    Sean

     

    Terms & ConditionsAccessibility statement