How to allow only established connections ?

Question

Is there a way to allow connections (TCP, SSH, etc) to be established only one way ?

I would like the machines in my administration network to be allowed to ssh towards anywhere else, but the machines in all other networks should not be able to ssh towards the admin network.

That would be 'RELATED,ESTABLISHED' in iptables, but I am not sure how to do that with a Fortigate and would really appreciate some help.

Regards,

lobstercreed · Answer

Hi Damien,

That is just how a stateful firewall works by default. :)

Just create a policy in one direction (i.e. admin interface to another interface) and don't create a policy in the reverse direction. Boom, done.

More details...

If for example the admin network is on lan1 and all other networks are on lan2, you would just create a policy with a source interface of lan1 and destination interface of lan2 that allows SSH.

If you have other networks on lan2, lan3, lan.. you will need to have multiple policies, all with a source interface of lan1 and each with the appropriate destination interface. You can also create zones to simplify things, but only if that also makes sense with your design.

- Daniel

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded