Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
os
New Contributor

Allow only relevant protocol for associated port

Hi, We will be implementing a Fortigate firewall using transparent proxy to replace an existing proxy server for outbound access. This will be set up for a school and will require restrictive outbound access. The firewall will be configured to use the Fortiguard service to define which web categories are accessible. My initial plan is to implement a general outbound firewall rule to allow ports HTTP, HTTPS, FTP. My concern is the firewall rule will have FTP (port 21) outbound to any destination address. How can I configure the firewall so only FTP protocol is allowed outbound on port 21. My concern is someone could set up a SSH server on port 21 at home and can connect to it. I only want FTP protocol traffic on port 21, and possibly use similar method so anything not HTTP or HTTPS traffic on ports 80 and 443 are blocked. I have done some initial testing and can apply application control to block SSH on the rule which works. However I think it would be more accurate if possible to define a rule that anything not FTP on port 21 is blocked. Is this possible? I have looked through the cookbook and KB but unable to find an answer. Many Thanks.
3 REPLIES 3
Rick_H
New Contributor III

This may seem kind of hacky, but here' s how I would probably accomplish this: 1) Create an Application Control profile that disables all applications except FTP. 2) Create a policy that allows FTP to the outside and apply UTM+Application Control with the FTP-only profile. 3) Repeat steps 1 and 2 for other Applications/ports you both want to allow out and also want to make sure non-standard protocols aren' t masquerading under those port numbers. This will net you a lot of individual policies if you allow a lot of individual ports out. It should accomplish what you' re looking for, though.
ede_pfau
SuperUser
SuperUser

..." allow FTP only" in AppControl will need to block all known and unknown apps plus an exempt rule to allow the ftp protocol. Together with the service " FTP" in the policy only ftp traffic on port 20/21 will be allowed to pass.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
os
New Contributor

Thankyou both for replies. I suspected Application Control would be the direction but was thinking maybe there is some global command or in Protocol options. Thanks again for clarifying!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors