New Member

Question

FortiGate 60E Ensuring outbound traffic on port 443

Forum|Forum|6 years ago
August 22, 2019
3 replies
9250 views

Hello,

I've got a Time Clock that needs to communicate out to a Vendor's servers.

I was told that

"Port 443 Outbound must be open to the following IP addresses:

[ul]

170.146.48.126

170.146.235.104

170.146.48.125

170.146.235.103[/ul]

"

I've got my device hooked up to the network and it requires a static IP address. Apparently, the Vendor's servers do not see a connection. How do I ensure they have 443 outbound? I didn't even think I needed to make changes on my firewall to allow specific ports outbound?

Dave_Hall

New Member

What you want is to created some address firewall objects for the four addresses and group them. Then create a firewall policy from internal (e.g. lan) to WAN (or WAN1), setting the dest to the address group with port 443 (e.g. HTTPS). Move this policy up in the firewall policy list so it is trigger. e.g (example only) from the CLI. I do not what else you would need though:

config firewall address edit "timeclocks1" set associated-interface "wan1" set subnet 170.146.48.126 255.255.255.255 next edit "timeclocks2" set associated-interface "wan1" set subnet 170.146.235.104 255.255.255.255 next edit "timeclocks3" set associated-interface "wan1" set subnet 170.146.48.125 255.255.255.255 next edit "timeclocks4" set associated-interface "wan1" set subnet 170.146.235.103 255.255.255.255 next end config firewall addrgrp edit "timeclockgroup" set member "timeclocks1" "timeclocks2" "timeclocks3" "timeclocks4" next end config firewall policy edit 0 set name "connection-timeclocks" set srcintf "internal_net" set dstintf "wan1" set srcaddr "All_Internal" set dstaddr "timeclockgroup" set action accept set schedule "always" set service "HTTPS" set nat enable next end Edit: that documentation I found on the Internet gives no information on how the internal clock device is suppose to be getting a static IP or if you need to enable NAT (on the firewall policy).

KiotiAuthor

New Member

There is one thing I'm tripped up on about this ~

This firewall has its wan2 connected to the ISP box.

There is a VLAN on wan2 that has been assigned the front-facing IP address and a tunnel interface set on it.

When I create these policies, do I replace the wan in your example with the VLAN, since it has the front facing address?

After I do that, would I need to create another policy between wan2 and the VLAN?

Firewall Troubleshooting.JPG

sw2090

SuperUser

Well unless you didn't limit your policy for internetaccess from the subnet your clock device is in to sepcific services there is no outbound limit. So communication outbount should work. 443/tcp is btw the standard port for https protocol.

So far it doesn't even matter wether the device has a static ip or dhcp ip. Usually you have a policy that allows internet for the whole subnet.

If you don't have one for this subnet you will have to create one. You could then limit that to those destinations and port 443 like Dave wrote. Since I guess you don't have a public subnet behind your FGT you will have to do NAT to make it work!

sw2090

SuperUser

you could debug that on your FGT on command line:

diag debug enable

diag debug flow show console enable

diag debug flow filter clear

diag debug flow filter saddr <ipoftheclockdevice>

diag debug flow trace start <numberofpackets>

then have your clockdevice trying to communicate and watch the fgt cli.

flow trace will show your what comes in and what happens to it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded