Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Firewall Policies - Needed Services

Hello forum,

I would like to know what is the best approach on restricting firewall policies as much as possible.
How to plan everything, which services are needed where, how to be sure that I will not left any services, etc.

Currently all services are allowed.
I will do a network segmentation to create more smaller broadcast domains then to have nearly everything in one VLAN, and while I'm going to do that I want to implement most secured way for firewall policies also.

Any advices are welcomed.


1 Solution
mpftnt

Default/standard ports are usually used. For instance, RDP uses TCP port 3389.

 

The sniffer command may be of help. You can play around with the filters.

 

https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)

 

https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...

View solution in original post

4 REPLIES 4
mpftnt
Staff
Staff

1. When creating a firewall policy, allow only the necessary inbound and outbound traffic. Limit traffic to specific addresses or subnets (principle of least privilege). This is also beneficial to minimize the resource utilization on the FortiGate.

 

2. Know the service/ports needed. For instance, if the policy is for internet access, you can only allow DNS, HTTP, and HTTPS (FortiGate has a service group named 'Web Access'). For email, you can allow email-related ports (There is a service group named 'Email Access' on Fortigate).

 

3. Add only the security profiles that you need.

 

https://docs.fortinet.com/document/fortigate/7.4.0/best-practices/889496/security-profiles

 

More information from the following links:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/656084/firewall-policy

Infotech22

Hello,

Is there a way of checking the ports needed for specific servers etc, or is it manually googling? :)
Can I check it via FortiGate in currently configured traffic, where is it going and which services is it using.

mpftnt

Default/standard ports are usually used. For instance, RDP uses TCP port 3389.

 

The sniffer command may be of help. You can play around with the filters.

 

https://docs.fortinet.com/document/fortiadc/7.0.0/cli-reference/395933/diagnose-sniffer-packet (I can't find the one for FortiGate, but they are the same as per checking)

 

https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complet...

Infotech22

Thank you for this, it will be helpful.
I will play around to get as much information's as possible. 

Only way to learn it is to play and have fun with it

Top Kudoed Authors