Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hams
New Contributor

Allow Pentester IP

I have FortiGate v7.2.5, where in the firewall can you whitelist the Pentester IP with the IPS Security Profile. Or is the best way to create a firewall policy to allow that traffic for the engagement?

1 Solution
fricci_FTNT
Staff
Staff

Hi @Hams ,

 

It would depend on the contract between you and the pentester, if they have have to simulate any potential malicious user on the Internet you may not need to allow traffic for that source IP. 
If you should need it, I would create a firewall policy and allow the traffic for that source specific IP. You can also decide to log the sessions on the specific firewall policy, but it would depend on what you have agreed with them. Be mindful anytime you have to allow any traffic on the WAN interface.

/!\ Make sure you enable/disable the allow firewall policy only when actually needed and once they finish, delete it.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

2 REPLIES 2
fricci_FTNT
Staff
Staff

Hi @Hams ,

 

It would depend on the contract between you and the pentester, if they have have to simulate any potential malicious user on the Internet you may not need to allow traffic for that source IP. 
If you should need it, I would create a firewall policy and allow the traffic for that source specific IP. You can also decide to log the sessions on the specific firewall policy, but it would depend on what you have agreed with them. Be mindful anytime you have to allow any traffic on the WAN interface.

/!\ Make sure you enable/disable the allow firewall policy only when actually needed and once they finish, delete it.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Toshi_Esumi
Esteemed Contributor III

If internal devices, like a prove device the tester installed, need to interact with the outside server, and they told you that traffic needs to be exempt from IPS, you need to create a new policy specifically to allow the internal device(s) to the external IP without the IPS profile.
But if it's for the outside IP toward the internal devices with VIPs they need to scan, I wouldn't exepmt it. You should ask about the detail what they're expecting.

 

Toshi

Labels
Top Kudoed Authors