Skip to main content
philbud
philbud
Explorer
February 26, 2025
Solved

Fortigate rule to permit only connectwise on computer in network

  • February 26, 2025
  • 1 reply
  • 1602 views

I would like to permit only screenconnect (cloud hosted) on a computer that is in network. 

This computer does not need internet but we would like to be able to connect to it remotely via screenconnect in case of troubleshoot. We already do this at another site but with logmein (similar product) and it works perfectly but in that case I can select all the logmein destination (internet service) but there's is no screenconnect or connectwise entry in the internet service section on the fortigate. Is there any way that I could do this?

Best answer by adhawan

G'day,
Thank you for using the Community Forum.


To permit only ConnectWise (ScreenConnect) on a computer in your network using FortiGate, you can follow these steps:

1. **Identify ConnectWise IP Addresses:** - Obtain the list of IP addresses or domain names used by ConnectWise for their cloud-hosted services. This information is typically available from ConnectWise support or documentation.

2. **Create an Address Object:** - Access the FortiGate CLI. - Create an address object for each IP address or domain name associated with ConnectWise. ```shell config firewall address edit "ConnectWise_IP" set subnet <IP_Address> 255.255.255.255 next end ```

3. **Create a Firewall Policy:** - Create a policy to allow traffic from the specific computer to the ConnectWise IP addresses. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "ConnectWise_IP" set action accept set schedule "always" set service "ALL" next end ```

4. **Deny All Other Traffic:** - Create a policy to deny all other traffic from the specific computer. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "all" set action deny set schedule "always" set service "ALL" next end ```

5. **Policy Order:** - Ensure that the allow policy for ConnectWise is placed above the deny all policy in the policy list.

6. **Test the Configuration:** - Verify that the computer can connect to ConnectWise but cannot access other internet services. By following these steps, you can restrict the computer to only connect to ConnectWise while blocking all other internet access.

1 reply

adhawan
Staff
adhawanAnswer
Staff
February 26, 2025

G'day,
Thank you for using the Community Forum.


To permit only ConnectWise (ScreenConnect) on a computer in your network using FortiGate, you can follow these steps:

1. **Identify ConnectWise IP Addresses:** - Obtain the list of IP addresses or domain names used by ConnectWise for their cloud-hosted services. This information is typically available from ConnectWise support or documentation.

2. **Create an Address Object:** - Access the FortiGate CLI. - Create an address object for each IP address or domain name associated with ConnectWise. ```shell config firewall address edit "ConnectWise_IP" set subnet <IP_Address> 255.255.255.255 next end ```

3. **Create a Firewall Policy:** - Create a policy to allow traffic from the specific computer to the ConnectWise IP addresses. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "ConnectWise_IP" set action accept set schedule "always" set service "ALL" next end ```

4. **Deny All Other Traffic:** - Create a policy to deny all other traffic from the specific computer. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "all" set action deny set schedule "always" set service "ALL" next end ```

5. **Policy Order:** - Ensure that the allow policy for ConnectWise is placed above the deny all policy in the policy list.

6. **Test the Configuration:** - Verify that the computer can connect to ConnectWise but cannot access other internet services. By following these steps, you can restrict the computer to only connect to ConnectWise while blocking all other internet access.

    Terms & ConditionsAccessibility statement