Hi All,
I've created a VLAN for 2 IoT devices.
I have not received any network requirements for them.
I want to create a policy which locks them down to only the essential required outbound ports and destinations.
How can I achieve this? Is it using debug flow? I find it hard to get the information I need from it?
Any help will be appreciated.
Many thanks,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can start a packet capture on the FGT (Network > Diagnostics > choose interface and set filter).
And filter the source IP addresses (addresses of IoT devices).
After a while you should be able to see (use Wireshark!) what these devices are trying to connect to?!
But in best case you find a manual for these IoT devices...
Piggy backing off what @Immu mentioned, if you are not familiar with Wireshark, you can also do this another way by going to Log & Report\ Forward Traffic and then specifying one of your IoT devices as the source and see what IPs and ports are being shown for traffic to the IoT, then you can specify the IoT as the destination to get the reverse data. I'd let this run for a while, get that data. Then perform those tasks a time or two more later on to confirm. After you implement, you can spot check this later on to confirm there are no denies for IPs or ports you might have missed. This should get you pretty close if not spot on, but again as @Immu mentioned, best case is to find the manual for the IoT devices as what if you allowed a port that should not have been allowed only because you saw the inquiry to it...surely the info for those requirements can be gleaned off of the IoT's manufacturer website.
Hi,
Two way here, but its all depend on your requirement at last. Idea is just to route/allow the traffic through required port.
- You may find article here to configure port forwarding using VIP for any custom ports.
- You may also create a firewall policy and specify the "service" column in the policy. Either using default service port or newly created.
You can start a packet capture on the FGT (Network > Diagnostics > choose interface and set filter).
And filter the source IP addresses (addresses of IoT devices).
After a while you should be able to see (use Wireshark!) what these devices are trying to connect to?!
But in best case you find a manual for these IoT devices...
Piggy backing off what @Immu mentioned, if you are not familiar with Wireshark, you can also do this another way by going to Log & Report\ Forward Traffic and then specifying one of your IoT devices as the source and see what IPs and ports are being shown for traffic to the IoT, then you can specify the IoT as the destination to get the reverse data. I'd let this run for a while, get that data. Then perform those tasks a time or two more later on to confirm. After you implement, you can spot check this later on to confirm there are no denies for IPs or ports you might have missed. This should get you pretty close if not spot on, but again as @Immu mentioned, best case is to find the manual for the IoT devices as what if you allowed a port that should not have been allowed only because you saw the inquiry to it...surely the info for those requirements can be gleaned off of the IoT's manufacturer website.
Hi,
Two way here, but its all depend on your requirement at last. Idea is just to route/allow the traffic through required port.
- You may find article here to configure port forwarding using VIP for any custom ports.
- You may also create a firewall policy and specify the "service" column in the policy. Either using default service port or newly created.
Thanks all for the help. I'll give it all a go.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.