Hello All,
I have a Fortigate 100A (yeah I know it's old but it is in great shape with low hours on it). Firmware VersionFortigate-100A 3.00,build0247,060417
I have a virtual IP set up to allow access to our mail server on the inside and created Firewall policies to allow SMTP traffic to pass through to the email server inside IP.
The only problem is that no matter what I do it will not work unless I add TCP to the list of services in the policy and that opens up all the ports. I have tried everything I can to set deny rules etc... but nothing works.
Really need some guidance on this one as I come from Cisco and I am trying to get a handle on what is happening with the firewall policies and why I cannot seem to open ports selectively.
I tries to reorder them putting the restrictive policies at the top or the bottom of the list but nothing seems to work.
Thanks in advance.
Sean
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I ended up finding the solution.
When setting up Custom Service ports under Services in the Firewall tab, you need to make sure that you set the source port to High 1 Low 65535 and then set the destination port to the whatever you desire to allow through the firewall (in my case port 26 and 587).
I hope this helps anyone else running into the same issue.
Sean
hi,
and welcome to the forums.
Usually, for a specific forwarding like this, you would use a port forwarding VIP. This opens one port only, not the 'service' choice in the policy.
A VIP is twofold: 1- a destination NAT and 2- arp proxy. The FGT will react to connection attempts on those forwarded ports only. If you need multiple ports, create one VIP for each and put them into a VIP group which you then use in a policy 'wan' -> 'internal'. Best practice: if you can use port forwarding VIPs to minimize the attack surface. Note that you cannot test a pfVIP (new word!) with 'ping' (obviously).
Getting a DENY policy to work in presence of a VIP policy is not straightforward. You can find an interesting thread here in the forum. But I don't think that this is the source of your problem.
Which then leads to my question: could you please post the VIP definition and the corresponding policy (text, from the CLI, if possible)? I don't quite understand what you mean with 'adding TCP' as SMTP already is a TCP protocol. We'll see.
Ede,
Thank you for your reply and the info.
I just meant that when I created the firewall policy my custom services would not work unless I added TCP to the services under in the policy, which that service TCP opens all of the TCP ports up wide, which would be helpful if the Fortigate was already behind a firewall and you wanted to open everything up between your LANS, but not so good if you are WAN facing like my situation. The failure was happening because I was creating the custom services wrong.
I am in the middle of about 3 deployments right now and so slammed, but when I get time I will post a little more detail about how I configure it all.
Thanks again,
Sean
Ede,
My config is pretty straight forward:
I have DUAL WAN connections both serving the office for redundancy.
I have an internal Exchange Server. It serves POP3, IMAP / SMTP OWA and also VPN Exchange connections.
I created VIPs for both external IP addresses of the email server mapping to the same internal IP Address.
I then created Custom Services for the alt smtp ports 26 and 587. Port 25 is used by only our spam filtering service as all inbound mail goes through their server first. So my Exchange Connection Control is limited to port 25 connections only from their servers.
I then created Service Groups (under Firewall > Services) 1. SpamFilter - SMTP 2. POP3Users SMTP-26,SMTP-587,IMAP,POP3,HTTPS
I then created Firewall Policies:
wan -> internal
SRC Dest Sched Service Action 7 all Enterprise Wan 2 always POP3_Users ACCEPT 3 SpamFilter Enterprise Wan 2 always SpamFilter_Ports ACCEPT
Also to further lock down SMTP 25 to my spam filter services server I created an Address Group with only the Spam Filter servier's IP Addresses in it, and set that in the Source of that policy.
I ran port scans and test connects on everything and it is locked down so I think I am good.
The only issue I was having was that I had set the Custom Service ports up incorrectly, once I fixed that everything worked as it should.
Thanks again for your insights.
Sean
Thanks for the details, you're welcome anytime.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.