Hello,
I've got a Time Clock that needs to communicate out to a Vendor's servers.
I was told that
"Port 443 Outbound must be open to the following IP addresses:
[ul]"
I've got my device hooked up to the network and it requires a static IP address. Apparently, the Vendor's servers do not see a connection. How do I ensure they have 443 outbound? I didn't even think I needed to make changes on my firewall to allow specific ports outbound?
What you want is to created some address firewall objects for the four addresses and group them. Then create a firewall policy from internal (e.g. lan) to WAN (or WAN1), setting the dest to the address group with port 443 (e.g. HTTPS). Move this policy up in the firewall policy list so it is trigger. e.g (example only) from the CLI. I do not what else you would need though:
config firewall address edit "timeclocks1" set associated-interface "wan1" set subnet 170.146.48.126 255.255.255.255 next edit "timeclocks2" set associated-interface "wan1" set subnet 170.146.235.104 255.255.255.255 next edit "timeclocks3" set associated-interface "wan1" set subnet 170.146.48.125 255.255.255.255 next edit "timeclocks4" set associated-interface "wan1" set subnet 170.146.235.103 255.255.255.255 next end config firewall addrgrp edit "timeclockgroup" set member "timeclocks1" "timeclocks2" "timeclocks3" "timeclocks4" next end config firewall policy edit 0 set name "connection-timeclocks" set srcintf "internal_net" set dstintf "wan1" set srcaddr "All_Internal" set dstaddr "timeclockgroup" set action accept set schedule "always" set service "HTTPS" set nat enable next end Edit: that documentation I found on the Internet gives no information on how the internal clock device is suppose to be getting a static IP or if you need to enable NAT (on the firewall policy).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
There is one thing I'm tripped up on about this ~
This firewall has its wan2 connected to the ISP box.
There is a VLAN on wan2 that has been assigned the front-facing IP address and a tunnel interface set on it.
When I create these policies, do I replace the wan in your example with the VLAN, since it has the front facing address?
After I do that, would I need to create another policy between wan2 and the VLAN?
Well unless you didn't limit your policy for internetaccess from the subnet your clock device is in to sepcific services there is no outbound limit. So communication outbount should work. 443/tcp is btw the standard port for https protocol.
So far it doesn't even matter wether the device has a static ip or dhcp ip. Usually you have a policy that allows internet for the whole subnet.
If you don't have one for this subnet you will have to create one. You could then limit that to those destinations and port 443 like Dave wrote. Since I guess you don't have a public subnet behind your FGT you will have to do NAT to make it work!
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
you could debug that on your FGT on command line:
diag debug enable
diag debug flow show console enable
diag debug flow filter clear
diag debug flow filter saddr <ipoftheclockdevice>
diag debug flow trace start <numberofpackets>
then have your clockdevice trying to communicate and watch the fgt cli.
flow trace will show your what comes in and what happens to it.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.