Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎11-29-2023 03:07 AM Edited on ‎02-26-2024 05:48 AM By Community Manager

Firewall Policies - Needed Services

Hello forum,

I would like to know what is the best approach on restricting firewall policies as much as possible.
How to plan everything, which services are needed where, how to be sure that I will not left any services, etc.

Currently all services are allowed.
I will do a network segmentation to create more smaller broadcast domains then to have nearly everything in one VLAN, and while I'm going to do that I want to implement most secured way for firewall policies also.

Any advices are welcomed.


Labels:
1959
0 Kudos
1 Solution
mpftnt
Staff
Staff
In response to Infotech22

Created on ‎11-29-2023 04:04 AM

Default/standard ports are usually used. For instance, RDP uses TCP port 3389.

 

The sniffer command may be of help. You can play around with the filters.

 

https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)

 

https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...

View solution in original post

1937
4 REPLIES 4
mpftnt
Staff
Staff

Created on ‎11-29-2023 03:45 AM

1. When creating a firewall policy, allow only the necessary inbound and outbound traffic. Limit traffic to specific addresses or subnets (principle of least privilege). This is also beneficial to minimize the resource utilization on the FortiGate.

 

2. Know the service/ports needed. For instance, if the policy is for internet access, you can only allow DNS, HTTP, and HTTPS (FortiGate has a service group named 'Web Access'). For email, you can allow email-related ports (There is a service group named 'Email Access' on Fortigate).

 

3. Add only the security profiles that you need.

 

https://docs.fortinet.com/document/fortigate/7.4.0/best-practices/889496/security-profiles

 

More information from the following links:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/656084/firewall-policy

1947
Infotech22
Contributor
In response to mpftnt

Created on ‎11-29-2023 03:48 AM

Hello,

Is there a way of checking the ports needed for specific servers etc, or is it manually googling? :)
Can I check it via FortiGate in currently configured traffic, where is it going and which services is it using.

1944
0 Kudos
mpftnt
Staff
Staff
In response to Infotech22

Created on ‎11-29-2023 04:04 AM

Default/standard ports are usually used. For instance, RDP uses TCP port 3389.

 

The sniffer command may be of help. You can play around with the filters.

 

https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)

 

https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...

1938
Infotech22
Contributor
In response to mpftnt

Created on ‎11-29-2023 04:07 AM

Thank you for this, it will be helpful.
I will play around to get as much information's as possible. 

Only way to learn it is to play and have fun with it

1933
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.