Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎06-26-2024 10:14 PM Edited on ‎06-27-2024 12:14 AM By Community Manager

Article Id 322715

Technical Tip : How to block access to a certain application on the same server behind the FortiGate from the Internet while allowing access to the others

Description

 

This article describes how to block a certain application on the same server behind the FortiGate from the internet while allowing access to the others.

 

Scope

 

FortiGate.

 

Topology:


1.png

 

Three applications are hosted on the same server behind the FortiGate. Access to Application 1 from the Internet needs to be blocked while Application 2 and Application 3 can still be accessed from the Internet.

The following are the applications on the same server:

 

This server is hosted behind the FortiGate using a virtual server configuration.

Prerequisites:

Virtual server or Virtual IP (VIP) is configured on the FortiGate.

 

Solution

 

  1. Configure a Web Filter security profile with only static URL filtering to block access to certain URLs. For example: *example.com/status/prv* 

    3.png

 

  1. Configure an inbound firewall policy to allow traffic to the configured virtual server or VIP in Proxy-based inspection mode.
  2. Apply the above Web Filter security profile to the new firewall policy.
  3. Apply the SSL inspection profile with Protecting SSL Server enabled and select the required server certificate in it: Protecting an SSL server
  4. Apply other security profiles such as WAF or AV  as per the requirement.
  5. The following is an example of the firewall policy for this task:

 

config firewall policy
    edit 1
        set name "**reverse-proxy**"
        set srcintf "wan"
        set dstintf "internal"
        set action accept
        set srcaddr "all"
        set dstaddr "reverse-proxy-testing" <----- Virtual server.
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "_protect_server"
        set webfilter-profile "_inbound"
        set waf-profile "_strict_waf"
    next
end


Result:
If a user tries to access Application 1, it will get blocked due to the configured URL static filter:

7.png

 

However, if the user tries to access either Application 2 or Application 3, it will be successful.

1035
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.