- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate rule to permit only connectwise on computer in network
I would like to permit only screenconnect (cloud hosted) on a computer that is in network.
This computer does not need internet but we would like to be able to connect to it remotely via screenconnect in case of troubleshoot. We already do this at another site but with logmein (similar product) and it works perfectly but in that case I can select all the logmein destination (internet service) but there's is no screenconnect or connectwise entry in the internet service section on the fortigate. Is there any way that I could do this?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
G'day,
Thank you for using the Community Forum.
To permit only ConnectWise (ScreenConnect) on a computer in your network using FortiGate, you can follow these steps:
1. **Identify ConnectWise IP Addresses:** - Obtain the list of IP addresses or domain names used by ConnectWise for their cloud-hosted services. This information is typically available from ConnectWise support or documentation.
2. **Create an Address Object:** - Access the FortiGate CLI. - Create an address object for each IP address or domain name associated with ConnectWise. ```shell config firewall address edit "ConnectWise_IP" set subnet <IP_Address> 255.255.255.255 next end ```
3. **Create a Firewall Policy:** - Create a policy to allow traffic from the specific computer to the ConnectWise IP addresses. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "ConnectWise_IP" set action accept set schedule "always" set service "ALL" next end ```
4. **Deny All Other Traffic:** - Create a policy to deny all other traffic from the specific computer. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "all" set action deny set schedule "always" set service "ALL" next end ```
5. **Policy Order:** - Ensure that the allow policy for ConnectWise is placed above the deny all policy in the policy list.
6. **Test the Configuration:** - Verify that the computer can connect to ConnectWise but cannot access other internet services. By following these steps, you can restrict the computer to only connect to ConnectWise while blocking all other internet access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
G'day,
Thank you for using the Community Forum.
To permit only ConnectWise (ScreenConnect) on a computer in your network using FortiGate, you can follow these steps:
1. **Identify ConnectWise IP Addresses:** - Obtain the list of IP addresses or domain names used by ConnectWise for their cloud-hosted services. This information is typically available from ConnectWise support or documentation.
2. **Create an Address Object:** - Access the FortiGate CLI. - Create an address object for each IP address or domain name associated with ConnectWise. ```shell config firewall address edit "ConnectWise_IP" set subnet <IP_Address> 255.255.255.255 next end ```
3. **Create a Firewall Policy:** - Create a policy to allow traffic from the specific computer to the ConnectWise IP addresses. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "ConnectWise_IP" set action accept set schedule "always" set service "ALL" next end ```
4. **Deny All Other Traffic:** - Create a policy to deny all other traffic from the specific computer. ```shell config firewall policy edit <policy_id> set srcintf "<source_interface>" set dstintf "<destination_interface>" set srcaddr "<source_computer_address>" set dstaddr "all" set action deny set schedule "always" set service "ALL" next end ```
5. **Policy Order:** - Ensure that the allow policy for ConnectWise is placed above the deny all policy in the policy list.
6. **Test the Configuration:** - Verify that the computer can connect to ConnectWise but cannot access other internet services. By following these steps, you can restrict the computer to only connect to ConnectWise while blocking all other internet access.
