Hello forum,
I would like to know what is the best approach on restricting firewall policies as much as possible.
How to plan everything, which services are needed where, how to be sure that I will not left any services, etc.
Currently all services are allowed.
I will do a network segmentation to create more smaller broadcast domains then to have nearly everything in one VLAN, and while I'm going to do that I want to implement most secured way for firewall policies also.
Any advices are welcomed.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Default/standard ports are usually used. For instance, RDP uses TCP port 3389.
The sniffer command may be of help. You can play around with the filters.
https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)
1. When creating a firewall policy, allow only the necessary inbound and outbound traffic. Limit traffic to specific addresses or subnets (principle of least privilege). This is also beneficial to minimize the resource utilization on the FortiGate.
2. Know the service/ports needed. For instance, if the policy is for internet access, you can only allow DNS, HTTP, and HTTPS (FortiGate has a service group named 'Web Access'). For email, you can allow email-related ports (There is a service group named 'Email Access' on Fortigate).
3. Add only the security profiles that you need.
https://docs.fortinet.com/document/fortigate/7.4.0/best-practices/889496/security-profiles
More information from the following links:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/656084/firewall-policy
Hello,
Is there a way of checking the ports needed for specific servers etc, or is it manually googling? :)
Can I check it via FortiGate in currently configured traffic, where is it going and which services is it using.
Default/standard ports are usually used. For instance, RDP uses TCP port 3389.
The sniffer command may be of help. You can play around with the filters.
https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)
Thank you for this, it will be helpful.
I will play around to get as much information's as possible.
Only way to learn it is to play and have fun with it
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.