Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Please Help - Policies

I have set up my Fortigate 60F (FW 6.4.3) on our small office network.  I created a Full Access policy that basically allows everything (but still filters for AV, WEB, APP, IPS, SSL) and have created several explicit policies for HTTP/HTTPS, NTP, DNS, SNMP/PING out (but not in), a pinhole for a specific ODBC message we need, and a policy I call Explicitly Allowed Apps for Microsoft, Google, Apple, and other FortiGuard apps in their database.


Full Access is checked LAST, right before IMPLICIT DENY.


My intention is to identify and allow all good traffic explicitly, and then disable Full Access once that's done.  That's where my question comes in.  


There are a few things that are legitimate, still allowed only through the Full Access policy:

- UDP/443 access to some client sites

- SSL_TLSv1.2 access to legitimate sites

- ISAKMP application is being used as well






What is the best way to explicitly allow this traffic safely?  I don't want to limit the access to just one site - those apps/protocols may legitimately be used in the same way for other legitimate web sites.  Is it OK to just allow all ISAKMP, TLSv1.2, etc. traffic for any of the listed applications?  We do NOT want to get draconian in our policies, limiting our users to a very limited number of allowable sites.  We just want to protect our network.


TIA for your help.





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors