Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lamster
New Contributor

Created on ‎11-07-2018 08:06 AM

Internet Service as source

I'm trying to configure an IPv4 policy on the WAN interface where the source address is an Internet Service  but the services are only available as destination address. I can't trick the firewall by reversing the rule so I'm running out of ideas. In CLI I can apply the service but it only applies as destination address. Is it even possible to use Internet Services as source? 

 

The firewall is FortiGate 201E running v5.6.5.

 

Thanks.

7662
0 Kudos
5 REPLIES 5
Dave_Hall
Honored Contributor

Created on ‎11-07-2018 09:41 AM

Hi Stefan.

 

Can you clarify or provide more details on what you are trying to do.  Sounds like what you want is a port forward from outside (Internet side) directed to port (and IP) on the inside behind your fgt.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3487
0 Kudos
Lamster
New Contributor
In response to Dave_Hall

Created on ‎11-07-2018 10:22 AM

My customer is running their incoming email through Office 365 before sending it to locally hosted servers. The local servers have virtual IPs configured and I have a policy configured with source 'all' and the protocols needed. However the customer wants me to restrict the source to be Microsoft servers instead of anyone since all mail will source from Office 365 and there shouldn't be anyone else communicating on these protocols. 

3489
0 Kudos
Dave_Hall
Honored Contributor
In response to Lamster

Created on ‎11-07-2018 02:21 PM

According to the sub reddit post from a year ago, it doesn't look like you can set the source to "internet service".  Though there is suggestive workarounds and/or going the extra mile to craft IP group/FQDN lists.  

 

https://www.reddit.com/r/...u0g/o365_to_fortigate/

 

And of course there will be hardcoded limits in the number of firewall objects.

http://help.fortinet.com/fgt/56/max-values/5-6-5/max-values.html

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3489
0 Kudos
Lamster
New Contributor
In response to Dave_Hall

Created on ‎11-08-2018 11:55 PM

I guess adding the addresses and/or fqdns by scripting as suggested by the reddit post would be possible but keeping them up to date would be a tedious job. Unnecessary as well since the addresses are kept up to date dynamically in Fortigate, only I can't use them as I would like.

 

Maybe I'll raise the question to TAC just for the record.

 

Thanks Dave.

3488
0 Kudos
neonbit
Valued Contributor
In response to Lamster

Created on ‎11-09-2018 02:07 AM

You can now use internet services as the source with 6.0. Unfortunately not all internet services can be used, as only a few of them have the direction as both (most can only be used for destination).

 

Office365 is not one of them you can use for source.

3488
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.