So here's the scenario I find myself in that I want to find a solution to.
RDS Gateway inside the network, with a NAT'd IP on the external interface, via central NAT.
I'd like to drop all traffic that attempts to connect to the RDS gateway external IP, except for a specific list of IP addresses.
Is this possible, and if so, how do I craft a policy(s), that would allow this?
My first thought is to create an address group of allowed IPs, add in address objects as the IPs for the allowed sources, then create one policy that blocks all traffic, and then create a higher policy that allows traffic from the address group.
I'm just not sure how I would configure the incoming/outgoing interfaces in the policy, since I'm trying to limit traffic to the external interface NAT address.
Hi @BeerAdmin ,
I think you need an basic allow policy from WAN to LAN port where 'RDS Gateway ' connects.
In this policy you will add that "specific list of IP addresses" which will be allowed to access the server.  These can be address objects you will create.  
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.