New Fortigate 200D User Question

Question

Hello:

I am brand new to Fortigate (migrating from a Sonicwall TZ205) and I had a quick question.

Fortigate 200D

Firmware Version: v5.2.4, build 688

I want to allow full access from a range of external IPs to an internal server which has a public IP (63.xxx.xxx.1). I have configured the following Address Objects:

EXTERNAL IPS ALLOWED

Type: IP Range

Subnet/IP Range: 72.xxx.xxx.1-72.xxx.xxx.10

Interface: wan1

INTERNAL SERVER

Type: IP/Netmask

Subnet/IP Range: 10.xxx.xxx.1

Interface: lan

I have then configured an IPV4 Policy:

Incoming Interface: wan1

Source Address: EXTERNAL IPS ALLOWED

Outgoing Interface: lan

Destination Address: INTERNAL SERVER

Service: ALL

Action: Accept

Firewall/Network Options: Off

Is this sufficient to allow all protocols to flow both incoming and outgoing? I am not sure where I would create the object that would contain information on the internal server's public IP.

Thanks in advance.

emnoc · Answer

It goods but not good for incoming & outcoming. You have many options some are better .

1: You can do the same as the fwpolicy listed but reverse the in/out and have a 2nd policy

e.g

Outgoing Interface: wan1 Destination Address: EXTERNAL IPS ALLOWED Incoming Interface: lan Source Address: INTERNAL SERVER Service: ALL Action: Accept Firewall/Network Options: Off

2: You craft one policy that has any/any for the interface with the same subnets list as in/out ( not preferred but will work )

Both of these will get you where you want. I would like to caution ANY ANY policies and ANY services. THese can open you up to bad design habits and potential exposure.

I 'm always weary of ANY--->ANY and "ALL" ;)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded