i need help to configure a block to incoming connection to a specific url website in my infrastructure:
actually i've an IIS server published with a vip_rule in firewall policy.
WAN --> serverLAn - source:all dest:vip_ipaddress protocol:80/443 ALLOW
In this webserver, inside my LAN, i've 20 different sites (are all on the same ip address, because the "binding" is setting up on IIS level and work correctly) and i need to filter access to a specific site (http:\\site1.mysite.com) blocking all traffic except 2 ip addresses.
example: (in my mind )
WAN -->serverLan - source:(group ip) dest:Http:\\site1.mysite.com protocol:80/443 ALLOW
WAN -->serverLan - source:all dest:Http:\\site1.mysite.com protocol:80/443 DENY
2 rule because one block all traffic and the other to allow only my autorizhed ip.
I've tried but, without success.
All others sites of my iis server instead is opened to all inbound traffic without any filter.
In my opinion this should work, but you have to consider some stuff.
1) Policy Order: Fortigate (and all other FW) "reads" the policies top down. If a policy hits, no further rules are processed. So you have to put Wan-->ServerLan-->All-->Vip-->http/https after the "more restricted" policies.
2) About encryptet Traffic: Not quite sure how the FGT process URL destinations with https. Maybe you have to inspect SSL for that. So first policy is allowing the specific IPs to site1...
Second is deny to site1... maybe with SSL Inspection
What if you create web filter profiles? You can create customer categorys, enter all the sites you want to allow in one category, then the one you want to limit in another. Your first policy gets the web filter profile with both custom categories allowed(or just the one you want to limit), then the second policy has another web filter profile with the custom category with all the other sites allowed. Since you have the source IP set in the first policy then this should work for you.
Seems a bit tricky. If you have web-filtering in your licence you can try with a web-filtering profile where you specify in a custom denied category your domains that you don't wish to deny.
Keep in mind that it should work in HTTP but not in HTTPS without deep-inspection enabled. Since it is traffic towards your own server it shouldn't be to hard to get the server's certificate and enable deep-inspection on that flow.
A Layer 3 policy won't work without a change in your design.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.