Our current firewall only accepts email from our cloud spam service which is a specific ip range over port 25. To accomplish this on the 300D do I need to create a VIP with the Interface being (external), external static ip address of firewall, mapped internal (ip of exchange server) port forwarding port 25. Than add source address filter and put the cloud service ip range there to complete the vip.
After VIP is complete then and IP4 policy.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
A VIP is a virtual IP. It can be any IP, and it doesn't need to exist on any interface.
With that said - In your case, create a VIP with the external IP you want to use, enable port forwarding for tcp port 25, and set the internal IP to the mailserver address.
Create an address object that contains the IP-range that you want to allow.
Create a firewall policy with source interface wan-interface/zone, and the source address set to your address object containing the IP-range. Set the destination interface to the interface/zone pointing to your internal mailserver, and the destination address to your VIP.
There is no need to use the source filter in the VIP. In my opinion, it is better if you keep all the filtering in the policies instead. At least, it gets clearer if you can see everything you filter on.
Do as you wish. If you filter source IP in the VIP, the firewall policy should have the source address set to "all".
Richie
NSE7
Richie covered it perfectly
Also, Be certain to only do it for the ports necessary and not the whole IP. That can hurt you if you are trying to access the device remotely etc.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.