Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Viggen73
New Contributor

Newbie on FortiOS 6.4.5

Hi I'm new to FortiOS 6.4.5 and I've been asked to block internet access from a group of pc's on our network.

Attached is the policy, the address group and the adress.

What am I missing here?

 

2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Did you place the deny policy at the top above the others with the same interface pair (src to dst)?

View solution in original post

lobstercreed

I would also say you need to change the service from "Web Access" to "ALL"

View solution in original post

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Did you place the deny policy at the top above the others with the same interface pair (src to dst)?

lobstercreed

I would also say you need to change the service from "Web Access" to "ALL"

Viggen73

Thanks to both. Had to change to all and move it to the top. It's working perfectly. 

Viggen73

Hi again. Now I've got a new nuance... Been asked to block web access but allow POP and SMTP. If I use all will it also block e-mail functions?
ppalace86

Hi,

 

The 'ALL' service will block access to all ports.

 

Add a new policy copying the one attached, allowing the 'Email Access' service (which will contain all relevant email ports) or if you wanted to explicitly allow POP3/POP3S and SMTP/SMTPS you can select these services individually, remember you will also need DNS if you are selecting individual services.

 

Remove the 'ALL' service and change Action to 'Allow' instead of 'Deny'.

 

Ensure the new policy is above your blocking Internet access policy.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors