FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jalejoFTNT
Staff
Staff
Article Id 352074
Description This article describes how to restrict HTTPS access to an HTTPS custom port and specific country.
Scope FortiGate
Solution

Prerequisites:

 

  • HTTPS access must be enabled on the WAN interface.

config system interface
    edit "WAN"
      set vdom "root"
      set ip 10.15.15.1 255.255.255.0
      set allowaccess https<-
      set type physical
    next
end

 

  • Determine which port is being used as HTTPS:

 

In the GUI:

 

Go to System -> Settings -> Administration Settings -> HTTPS port.

 

HTTPS-custom-port-3.jpg

 

On CLI:

 

show full system global | grep admin-sport
    set admin-sport 16443

 

  • Have access to FortiGate from the LAN interface or using a console cable.

How to configure:

 

  1. Configure a firewall address to permit a specific country.

In the GUI:

 

Go to Policy & Objects -> Addresses -> Create new:

 

HTTPS-custom-port-1.jpg

 

Select the Geography type and select OK.

 

In the CLI:

 

config firewall address
   edit "Allow-Country"
      set type geography
      set country "CO"
   next
end

 

  1. Configure a custom HTTPS port

In the GUI:

 

Go to Policy & Objects -> Services -> Create new:

 

HTTPS-custom-port-2.jpg

 

On CLI:

 

config firewall service custom
   edit "Custom-HTTPS"
     set tcp-portrange 16443
   next
end

 

  1. Create a local-in policy (only possible in the CLI):

config firewall local-in-policy
   edit 1
     set intf "wan1"
     set srcaddr "Allow-Country"
     set dstaddr "all"
     set action accept
     set service "Custom-HTTPS"
     set schedule "always"
   next
   edit 2
     set intf "wan1"
     set srcaddr "all"
     set dstaddr "all"
     set service "Custom-HTTPS"
     set schedule "always"
   next

end