Is there a way to allow connections (TCP, SSH, etc) to be established only one way ?
I would like the machines in my administration network to be allowed to ssh towards anywhere else, but the machines in all other networks should not be able to ssh towards the admin network.
That would be 'RELATED,ESTABLISHED' in iptables, but I am not sure how to do that with a Fortigate and would really appreciate some help.
Regards,
Hi Damien,
That is just how a stateful firewall works by default. :)
Just create a policy in one direction (i.e. admin interface to another interface) and don't create a policy in the reverse direction. Boom, done.
More details...
If for example the admin network is on lan1 and all other networks are on lan2, you would just create a policy with a source interface of lan1 and destination interface of lan2 that allows SSH.
If you have other networks on lan2, lan3, lan.. you will need to have multiple policies, all with a source interface of lan1 and each with the appropriate destination interface. You can also create zones to simplify things, but only if that also makes sense with your design.
- Daniel
Agreed , Stateful is what a fortigate does. Just ensure you do not allowed the traffic but in way.
Ken Felix
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.