Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dan_Chan
New Contributor

FortiGate - VLAN Want To Create a Lockdown Policy for It

Hi All,

I've created a VLAN for 2 IoT devices.

I have not received any network requirements for them.

I want to create a policy which locks them down to only the essential required outbound ports and destinations.

How can I achieve this? Is it using debug flow? I find it hard to get the information I need from it?

Any help will be appreciated.

Many thanks,

3 Solutions
Immu
New Contributor III

You can start a packet capture on the FGT (Network > Diagnostics > choose interface and set filter).

And filter the source IP addresses (addresses of IoT devices).

After a while you should be able to see (use Wireshark!) what these devices are trying to connect to?!

 

But in best case you find a manual for these IoT devices...

View solution in original post

Cajuntank
Contributor II

Piggy backing off what @Immu  mentioned, if you are not familiar with Wireshark, you can also do this another way by going to Log & Report\ Forward Traffic and then specifying one of your IoT devices as the source and see what IPs and ports are being shown for traffic to the IoT, then you can specify the IoT as the destination to get the reverse data. I'd let this run for a while, get that data. Then perform those tasks a time or two more later on to confirm. After you implement, you can spot check this later on to confirm there are no denies for IPs or ports you might have missed. This should get you pretty close if not spot on, but again as @Immu  mentioned, best case is to find the manual for the IoT devices as what if you allowed a port that should not have been allowed only because you saw the inquiry to it...surely the info for those requirements can be gleaned off of the IoT's manufacturer website.

View solution in original post

SassiVeeran
Staff
Staff

Hi,

Two way here, but its all depend on your requirement at last. Idea is just to route/allow the traffic through required port.

- You may find article here to configure port forwarding using VIP for any custom ports.

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500/using-virtual-ips-to-configure-po...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...

- You may also create a firewall policy and specify the "service" column in the policy. Either using default service port or newly created.

View solution in original post

4 REPLIES 4
Immu
New Contributor III

You can start a packet capture on the FGT (Network > Diagnostics > choose interface and set filter).

And filter the source IP addresses (addresses of IoT devices).

After a while you should be able to see (use Wireshark!) what these devices are trying to connect to?!

 

But in best case you find a manual for these IoT devices...

Cajuntank
Contributor II

Piggy backing off what @Immu  mentioned, if you are not familiar with Wireshark, you can also do this another way by going to Log & Report\ Forward Traffic and then specifying one of your IoT devices as the source and see what IPs and ports are being shown for traffic to the IoT, then you can specify the IoT as the destination to get the reverse data. I'd let this run for a while, get that data. Then perform those tasks a time or two more later on to confirm. After you implement, you can spot check this later on to confirm there are no denies for IPs or ports you might have missed. This should get you pretty close if not spot on, but again as @Immu  mentioned, best case is to find the manual for the IoT devices as what if you allowed a port that should not have been allowed only because you saw the inquiry to it...surely the info for those requirements can be gleaned off of the IoT's manufacturer website.

SassiVeeran
Staff
Staff

Hi,

Two way here, but its all depend on your requirement at last. Idea is just to route/allow the traffic through required port.

- You may find article here to configure port forwarding using VIP for any custom ports.

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500/using-virtual-ips-to-configure-po...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...

- You may also create a firewall policy and specify the "service" column in the policy. Either using default service port or newly created.

Dan_Chan
New Contributor

Thanks all for the help. I'll give it all a go.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors