Skip to main content
Camilian
Camilian
New Member
September 9, 2019
Question

FortiWIFI 60E Attacks on Port 80

  • September 9, 2019
  • 1 reply
  • 5641 views

I have FortiWiFi 60E

 

I had to open port 80 and port 443 to support a web page

I am getting daily attacks on port 80 and need to know the steps to protect it.

 

On my server IIS I am forwarding port 80 -> 443 and is working fine 

 

The attacks continue to happened port 80 and FortiWIFI 60E allows incoming IP addresses from other countries.

Is there a way to forward port 80 ->443 in FortiWiFI?

Is there a policy that I can set to ensure that port 80 does not accept IPs from other countries 

What is everyone doing to stop attacks in port 80?

 

 

    1 reply

    orani
    orani
    New Member
    September 9, 2019

    There are many ways to stop attacks at some port. But lets focus on what your target is.

     

    You said that you want to port forward. Yes this can be done. You have to configure a VIP and then use this VIP in an IPv4 rule. That is the first part.

     

    If you want then to allow traffic only from a specific country/countries, you have to configure an address object with type Geography (Geolocation) and then use this object as source at the policy you previously created.

     

    Before you do that make sure that everybody who will access your server on your specified port is from the country/countries you created at the address object/s

    Camilian
    CamilianAuthor
    New Member
    September 9, 2019

    orion,

    Thank you for the suggestions.

    Is there a step by step procedure as what to do on the port forward and specific country solution?

    I am new to Fortigate and don't want to make any mistakes.

     

    Thank you

    orani
    orani
    New Member
    September 9, 2019

    Ok.

    First lets create the address object. Go to "Policy&Objects"-->"Addresses" and click "Create New"- "Address"

    Set a desired name, for the "Type" choose "Geography", choose your desired country (the one you want to allow traffic), "Interface" = any and click "OK".

     

    Then you have to create you VIP.

    Go to "Policy&Objects"-->"Virtual IPs" and click "Create New" - "Virtual IP"

    Set a desired name. At the "Interface" choose your external interface/internet (the source of the traffic). At the External IP Address/Range set your interface's ip address. At the Mapped IP Address/Range set your IIS ip address. Enable the "Port Forwarding" option and set the external and internal ports.

     

    Lastly you have to create a rule to allow traffic go through.

    Go to "Policy&Objects"-->"IPv4 Policy" and click "Create New"

    Set a desired name, Incoming intrface= your external interface/internet, Outgoing interface=The interface where IIS is physicaly connected to, Source= the address object you created before with the country you want to allow, Destination=your previously created Virtual ip object, Service=All, Nat = enabled, Log all sessions, enable this policy (on) and click ok.

     

    And now you must be ready to safely use your server 

    Terms & ConditionsAccessibility statement