I'm trying to configure an IPv4 policy on the WAN interface where the source address is an Internet Service but the services are only available as destination address. I can't trick the firewall by reversing the rule so I'm running out of ideas. In CLI I can apply the service but it only applies as destination address. Is it even possible to use Internet Services as source?
The firewall is FortiGate 201E running v5.6.5.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Stefan.
Can you clarify or provide more details on what you are trying to do. Sounds like what you want is a port forward from outside (Internet side) directed to port (and IP) on the inside behind your fgt.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
My customer is running their incoming email through Office 365 before sending it to locally hosted servers. The local servers have virtual IPs configured and I have a policy configured with source 'all' and the protocols needed. However the customer wants me to restrict the source to be Microsoft servers instead of anyone since all mail will source from Office 365 and there shouldn't be anyone else communicating on these protocols.
According to the sub reddit post from a year ago, it doesn't look like you can set the source to "internet service". Though there is suggestive workarounds and/or going the extra mile to craft IP group/FQDN lists.
https://www.reddit.com/r/...u0g/o365_to_fortigate/
And of course there will be hardcoded limits in the number of firewall objects.
http://help.fortinet.com/fgt/56/max-values/5-6-5/max-values.html
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I guess adding the addresses and/or fqdns by scripting as suggested by the reddit post would be possible but keeping them up to date would be a tedious job. Unnecessary as well since the addresses are kept up to date dynamically in Fortigate, only I can't use them as I would like.
Maybe I'll raise the question to TAC just for the record.
Thanks Dave.
You can now use internet services as the source with 6.0. Unfortunately not all internet services can be used, as only a few of them have the direction as both (most can only be used for destination).
Office365 is not one of them you can use for source.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.