Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Block Traffic from IP address range for port 25
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-05-2008 07:20 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block Traffic from IP address range for port 25
Hi,
I' m not sure if this belongs in Firewall Policies or Routing.
I' m a new 100A user. I' ve managed to setup the firewall policies to allow our exchange server to function properly.
We are going to try out the Postini email service and I need to block port 25 traffic for all IP' s except for the IP range of the Postini servers (which will be filtering our mail) so that any mail trying to by pass the mail filtering is blocked.
How I can go about doing this?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
Basically, since the default action of any Fortigate is to block, simply allow port 25 to the IP range for those Postini servers. Create an address entity with the IP range (xxx.xxx.xxx.[starting number-ending number]). Create a second entity for your Exchange server.
If the mail is outbound, create a policy allowing traffic from the Exchange server to the Postini server range, and select SMTP for the service. A caveat here. FGT processes policies from the top of the list to the bottom, so place the more restrictive policies at the top of the list, and the more general near the bottom.
If the service is inbound, you' ll need to create a Virtual IP for the Exchange server, because the FGT will need to know what outside IP will point to the server. Go to Firewall - Virtual IP - Create New. Here select the external IP address, the internal server address, and set the port to 25. If you do not select a port here, all traffic for that IP address will now be pointed to your Exchange server. Not good. Makes troubleshooting a real pain later. Then just as above, create the policy, source all, destination that VIP rule just created, and service again 25.
Good luck.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-05-2008 09:51 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick reply. I just want to make sure I' m doing this right.
I' m configuring inbound traffic now. Can I do the following:
Under Firewall>Address, I created an IP range for the Postini servers (named " Postini" ) and also for our internal exchange server (named " Exchange" ). The interface is set to " Any" .
Under Firewall>Policy, I have inserted a new policy using " Postini"
as the Source Address Name, " Exchange" as the Destination Address Name, the service is set to " SMTP" , and the Action is set to " ACCEPT" . This policy has been inserted above the existing policy routing traffic to our mail server.
Regarding your comments configuring the inbound service:
Under Firewall>Virtual IP, I find that I cannot enter a range for the External IP Address/Range when trying to create a new Virtual IP. I can only enter a single IP address. I not sure why.
Thanks again.
---
Will
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The address you enter here is the address the world (Internet) will use to route mail to your Exchange server. This has to be a legitimate IP address that your ISP provided you. If you only have one IP address, that' s ok. Just use the port forwarding option like I stated in the first reply. Port 25 traffic will head to the Exchange server, and all other traffic will be handled by the FGT.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 02-05-2008 10:30 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. My mistake. I was so focused on the IP addresses of the Postini servers that I forgot about the role that our IP addresses played. It makes sense now.
Anyway, I already have a Virtual IP setup for my exchange servers so that I got an message that an duplicate exists already.
So would the following work:
I created an IP range for the Postini servers (named " Postini" ) and also for our internal exchange server (named " Exchange" ). The interface is set to " Any" .
Under Firewall>Policy, I have inserted the new policy using " Postini"
as the Source Address Name, " Exchange" as the Destination Address Name, the service is set to " SMTP" , and the Action is set to " ACCEPT" . This policy has been inserted above the existing policy routing traffic to our mail server.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very logically, look at the source and destination. This will dictate the direction of traffic flow. Also another caveat: Any OUTBOUND policy that borders the Internet has to have NAT enabled. 192.168.x.x addresses are not routable over the Internet. Similarly, you cannot point to 192.168.x.x from the Internet. This is why the destination has to be the VIP rule you created. This is the glue between the outside IP address and the inside one. If by accident you enable NAT on an inward facing policy, all traffic will seem to come from you Fortigate.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,789 -
FortiClient
1,786 -
5.2
801 -
FortiManager
741 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
215 -
FortiWeb
210 -
5.0
196 -
FortiNAC
194 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
109 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1112 | |
| 759 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.