- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internet Service as source
I'm trying to configure an IPv4 policy on the WAN interface where the source address is an Internet Service but the services are only available as destination address. I can't trick the firewall by reversing the rule so I'm running out of ideas. In CLI I can apply the service but it only applies as destination address. Is it even possible to use Internet Services as source?
The firewall is FortiGate 201E running v5.6.5.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stefan.
Can you clarify or provide more details on what you are trying to do. Sounds like what you want is a port forward from outside (Internet side) directed to port (and IP) on the inside behind your fgt.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My customer is running their incoming email through Office 365 before sending it to locally hosted servers. The local servers have virtual IPs configured and I have a policy configured with source 'all' and the protocols needed. However the customer wants me to restrict the source to be Microsoft servers instead of anyone since all mail will source from Office 365 and there shouldn't be anyone else communicating on these protocols.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the sub reddit post from a year ago, it doesn't look like you can set the source to "internet service". Though there is suggestive workarounds and/or going the extra mile to craft IP group/FQDN lists.
https://www.reddit.com/r/...u0g/o365_to_fortigate/
And of course there will be hardcoded limits in the number of firewall objects.
http://help.fortinet.com/fgt/56/max-values/5-6-5/max-values.html
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess adding the addresses and/or fqdns by scripting as suggested by the reddit post would be possible but keeping them up to date would be a tedious job. Unnecessary as well since the addresses are kept up to date dynamically in Fortigate, only I can't use them as I would like.
Maybe I'll raise the question to TAC just for the record.
Thanks Dave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can now use internet services as the source with 6.0. Unfortunately not all internet services can be used, as only a few of them have the direction as both (most can only be used for destination).
Office365 is not one of them you can use for source.
