Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎09-20-2019 05:05 AM Edited on ‎10-04-2024 07:49 AM By Moderator

Article Id 191003

Technical Tip: How to allow a port

Description


This article explains how to allow a port on a FortiGate.
By default, the FortiGate firewall denies all traffic passing through it on all ports due to a pre-configured 'implicit deny policy'.

 

Scope

 

FortiGate.

Solution


To allow any traffic through FortiGate on any port, configure the IPv4 policy with the 'action' set to 'Accept/Permit'.

Below is an example of how to allow the RDP port 3389 traffic through FortiGate:

Step 1:
Create the 'Service' Object for port which needs to be allowed under Policy and Object -> Services.
If it is the standard port, there are predefined service objects under the' service list'.
If not, configure the 'Service' Object under Policy and Object -> Services -> Create New -> Service.

 
Using the CLI:

config firewall service custom

    edit "RDP_Port"

        set category "Remote Access"
        set tcp-portrange 3389 3389

    next

end

 
Note: In this RDP example, RDP uses both TCP and UDP so both need to be added. If there is only a specific protocol, either UDP or TCP, only add that protocol with a port number.
 
Step 2:
Apply the configured service object 'RDP_Port' under the 'Service' option of the policy configuration:

To create a policy, navigate to Policy And Object -> IPv4 Policy -> Create New.
 
 
Using the CLI:
      
      config firewall policy
       edit 11
           set name "Allow_RDP"
           set uuid 902f509c-8249-51ef-9cd2-05d76de7c7d2
           set srcintf "port1"
           set dstintf "port2"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "RDP_Port"
           set logtraffic all
           set nat enable
       next
end
 
To verify, run the sniffer as follows:
 
diagnose sniffer packet any "tcp port 3389 or udp port 3389" 4
interfaces=[any]
filters=[tcp port 3389 or udp port 3389]
1.427148 port1 in 10.143.3.189.64958 -> 10.5.41.48.3389: syn 2923297620    <- Packet enters on FortiGate Port1 (ingress).
1.427148 port2 out 10.143.3.189.64958 -> 10.5.41.48.3389: syn 2923297620   <- Packet is leaving on port 2 (egress).


Notes:

  • Place this specific policy on top of all other general policies.
  • If it is required to block the specific port, the steps are the same except with the 'action' set to 'Deny'.
202359
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.