I have set up my Fortigate 60F (FW 6.4.3) on our small office network. I created a Full Access policy that basically allows everything (but still filters for AV, WEB, APP, IPS, SSL) and have created several explicit policies for HTTP/HTTPS, NTP, DNS, SNMP/PING out (but not in), a pinhole for a specific ODBC message we need, and a policy I call Explicitly Allowed Apps for Microsoft, Google, Apple, and other FortiGuard apps in their database.
Full Access is checked LAST, right before IMPLICIT DENY.
My intention is to identify and allow all good traffic explicitly, and then disable Full Access once that's done. That's where my question comes in.
There are a few things that are legitimate, still allowed only through the Full Access policy:
- UDP/443 access to some client sites
- SSL_TLSv1.2 access to legitimate sites
- ISAKMP application is being used as well
- DTLS
- QUIC
- RTCP
- STUN
What is the best way to explicitly allow this traffic safely? I don't want to limit the access to just one site - those apps/protocols may legitimately be used in the same way for other legitimate web sites. Is it OK to just allow all ISAKMP, TLSv1.2, etc. traffic for any of the listed applications? We do NOT want to get draconian in our policies, limiting our users to a very limited number of allowable sites. We just want to protect our network.
TIA for your help.
Kelly
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.