Skip to main content
RJ45
RJ45
Visitor III
April 17, 2020
Solved

Is manual entry necessary to open ports for 100 addresses?

  • April 17, 2020
  • 1 reply
  • 18108 views

Looking for advice on how to open ports that a service says will require a large number of addresses on, say, port 51000. 

 

Please tell me if I'm doing this correctly: In a new policy, I'm creating Address entries for each IP or IP range (attached to Destination), then creating a Service with the port needed to open and leaving the address as 0.0.0.0.

 

Can manual entry for services that use large amount of IP addresses be avoided? This would be for services that DON'T appear in the Internet Service database.

Best answer by poundy

ok, now I get a bit more context, but can i ask another question or two before I suggest an answer? 

What does the "inside" portion of the infrastructure look like? Is there just one server (or a small, fixed number) sitting behind the FGT and it needs to talk to all those endpoints over just that set of ports?  And if so, would you want to restrict it in such a way that the internal server can only talk on those ports to those endpoints?  Or does the internal side look like a 

 

My first hint about those IP addresses is possibly a little abstract. AWS and Azure give you these in a consumable format, so that you can maintain them in an automated way. You should be considering a way to transform that feed into the FGT. You could have a script to churn the AWS endpoint JSON file into a set of CONFIG FIREWALL ADDRESS command lines that also adds them to an address group. 

 

I will say I'm a pretty new FGT admin, but I'd approach this as a policy that permits traffic from inside group of IP addresses on a particular service to a particular destination. In this case, I'd create a policy for TCP80 to AWS EC2 destination, a policy for TCP443 to AWS Cloudfront, a policy for TCP/UDP49221 to AWS Media Shuttle. I'd define an address group for each of those, so the policy wouldn't need to change only the addrgrp, as the IPs published changed. 

 

Does this help?

 

 

 

1 reply

poundy
poundy
New Member
May 3, 2020

I don't understand your scenario (and I suspect that's why you haven't had any other responses either). Perhaps you can better describe it or point to info that describes the service and it's behaviour?  

RJ45
RJ45Author
Visitor III
May 4, 2020

Here is an example of what I'm talking about. I am trying to create a policy by entering the data given to me by this web site:

 

 

The ranges of IPs in the links under "Target IP Address" are anywhere from 30 IPs to hundreds. I can create a policy with each of these ports set to ALLOW in a series of Services, but I don't understand how I'm expected to enter an enormous set of IP address.

 

Here is the link, for example for the above "Amazon CloudFront IP Ranges". What am I supposed to do with this information? I'm not going to enter those hundreds of IPs by hand.

 

Can I enter these links themselves as a FQDN in a Service where the port is specified? The lack of documentation on this type of thing (or ability to Google successfully) is truly disappointing. 

 

Thanks

poundy
poundyAnswer
New Member
May 4, 2020

ok, now I get a bit more context, but can i ask another question or two before I suggest an answer? 

What does the "inside" portion of the infrastructure look like? Is there just one server (or a small, fixed number) sitting behind the FGT and it needs to talk to all those endpoints over just that set of ports?  And if so, would you want to restrict it in such a way that the internal server can only talk on those ports to those endpoints?  Or does the internal side look like a 

 

My first hint about those IP addresses is possibly a little abstract. AWS and Azure give you these in a consumable format, so that you can maintain them in an automated way. You should be considering a way to transform that feed into the FGT. You could have a script to churn the AWS endpoint JSON file into a set of CONFIG FIREWALL ADDRESS command lines that also adds them to an address group. 

 

I will say I'm a pretty new FGT admin, but I'd approach this as a policy that permits traffic from inside group of IP addresses on a particular service to a particular destination. In this case, I'd create a policy for TCP80 to AWS EC2 destination, a policy for TCP443 to AWS Cloudfront, a policy for TCP/UDP49221 to AWS Media Shuttle. I'd define an address group for each of those, so the policy wouldn't need to change only the addrgrp, as the IPs published changed. 

 

Does this help?

 

 

 

Terms & ConditionsAccessibility statement