Technical Tip: How to configure Whitelist firewall policy

dkochhar · ‎07-29-2024

Description

This article describes how to create a bypass rule and demonstrates an example of whitelisting a range/subnet of IPs through firewall policy.

Scope

FortiGate.

Solution

Let’s take an example here:

The goal is to white-list the following range: 1.2.3.4– 1.2.3.10 and a subnet 170.146.X.X.0/21.

Configuration on FortiGate:

Address needs to be created:

For IP Range:

config firewall address
   edit "Whitelist_IP_Range"
       set type iprange
set start-ip 1.2.3.4
set end-ip 1.2.3.10
    next
end

For subnet:

config firewall address
   edit "Whitelist_Subnet"
        set subnet 170.146.X.X 255.255.248.0
    next
end

The next step would be to create a firewall policy to whitelist them with no inspection as follows:

config firewall policy
edit 2
set status enable
set name "Whitelist_Rule"

set srcintf "port4"   <-- Internal Interface.
set dstintf "port1"     <-- Outgoing Interface.
set action accept
set srcaddr "all"
set dstaddr "Whitelist_IP_Range" "Whitelist_Subnet" <-- Whitelisted range and subnet.
set schedule "always"
set service "ALL"
        set logtraffic all
        set nat enable
next
end

Note:

The whitelisted rule should be on the top of all rules to bypass it from inspection.