Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mumbles202
New Contributor II

Quick Question Regarding Policies

Trying to correctly understand a firewall policy and ensure it is in fact correct. Currently have an Exchange server that needs to have port 25 limited to a few external ips, and then port 80/443 should be open to all. Is the correct way to create a rule (WAN to LAN) from the ips that should have access to the virtual ip of the server w/ port 25 specified as both the external and internal port specified there and w/ the service of any in the policy. And then another policy w/ the same for 80/443. Or should the service still be reflective of the ports that should be open? I currently see a policy that has a destination of just the vip address w/ the service set to any. Just want to make sure this is in fact correct. And I would create the reciprocal policy on the outbound (LAN to WAN) to allow smtp from the Exchange server back to those ips correct if all mail should go through them?
4 REPLIES 4
rwdorman
New Contributor III

I' m assuming that the external servers are a SPAM service of some sort where you also relay all external mail? To keep things easy, I would create the VIP with all ports mapped and then in the security policy something like this... this is the style I would use and there are several ways to accomplish this WAN -> LAN source all/any, destination <exchange server-VIP>, service HTTP, HTTPS, WAN -> LAN, source <allowed external smtp server>, destination <exchange server-VIP> service SMTP LAN -> WAN source <exchange-server-VIP>, destination <allowed_external_smtp>, service SMTP You could define each external SMTP server in the single rule or create an object group The policy that you have right now, with all services open, is very dangerous, esp to a windows box

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
mumbles202
New Contributor II

Thanks for the reply Ryan. So to specify how the rules are currently setup ExchangeVIP25 External ip AA.BB.CC.DD Mapped IP 10.10.10.15 Port Forwarding Checked TCP External Service Port 25 Map to Port 25 ExchangeVIP80 External ip AA.BB.CC.DD Mapped IP 10.10.10.15 Port Forwarding Checked TCP External Service Port 80 Map to Port 80 Then a WAN --> LAN policy as follows Source <allowed external>, destination <ExchangeVIP25>, service any Source all/any, destination ExchangeVIP80, service any Then LAN --> WAN Source <ExchangeVIP25>, destination any, service smtp That didn' t look correct to me but wanted to make sure.
rwdorman
New Contributor III

When I' m doing these I like to keep as few places to check as possible. As long as it is a one to one mapping of VIP to host you can leave Port Forwarding unchecked and then handle the allow/deny in the security policy. Just a style thing, it also allows you to only have to define one VIP that you then allow in multiple rules. The only time you really need the port forwarding check box is if you would have a single external VIP where depending upon the destination port number you wanted it to go toa different inside host. Like you' d have internet.company.com where if you browsed on 80 it would go to your webserver but if you ssh' d it would go to another server (not the web server). If you went this way, you' d then change your WAN -> LAN to Source -> SingleExchange VIP -> service SMTP All -> SingleExchange VIP -> Service HTTP/HTTPS LAN -> WAN source (I screwed this up in my previous reply) Exchange Internal IP -> Any -> Service SMTP The mere presence of the VIP will translate the outbound traffic.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
MikePruett
Valued Contributor

I would suggest throwing the mail server on the DMZ side as well but the other guys did an excellent job covering the policy portion.
Mike Pruett Fortinet GURU | Fortinet Training Videos
Labels
Top Kudoed Authors