Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
reneaksess
New Contributor

SQL traffic inside an IPSEC tunnel

Hi'll

I'm using a fortigate 92D with the latest image 5.4 

I connect my client's with the Forticlient using IPSEC.

This all works I narrowed down in my rules who can connect and to what.

But I want to allow only SMB (found that) and SQL traffic to a named instance on a SQL 2012 R2 server.

As long as I use the All services rule it works but I would like to limit it to SMB and SQL

Which service and ports are we talking about ??

Rene

1 Solution
ede_pfau
Esteemed Contributor III

hi,

 

you find the ports used for the various SQL Server services in this article "Configure the Windows Firewall to Allow SQL Server Access" here: https://msdn.microsoft.com/de-de/library/cc646023%28v=sql.110%29.aspx (sorry, "insert link" button is greyed out).

Define each port/protocol combo as a custom service and group them in a custom service group, to use in the policy. SMB or "Windows AD" is always needed additionally.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
ede_pfau
Esteemed Contributor III

hi,

 

you find the ports used for the various SQL Server services in this article "Configure the Windows Firewall to Allow SQL Server Access" here: https://msdn.microsoft.com/de-de/library/cc646023%28v=sql.110%29.aspx (sorry, "insert link" button is greyed out).

Define each port/protocol combo as a custom service and group them in a custom service group, to use in the policy. SMB or "Windows AD" is always needed additionally.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

And the cli cmd diag debug flow if your friend if anything  fails and it would also help to show you service are being matched or allowed o denied

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sysadm
New Contributor

reneaksess

 

Be aware that certain ms sql configurations does not use fixed ports, so you need to dig on mssql documentation on how to configure fixed port for the service.

 

my .02

 

regards

emnoc
Esteemed Contributor III

I never heard of that but 1433/tcp is the defacto MS-SQL port unless you change it.The nestat -an on the target host will also indicate the listener for that service also.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

@last_3_posts:

that's all in the cited paper, 1433/tcp, 1434/tcp, 1433/udp, dynamic ports included, with instructions how to make them static.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors