I need some clarification on the best way to do this. Our company has a policy that servers do not get Internet access, except to a list of permitted websites. This works well when the Destination object is an FQDN with a couple of IP addresses behind it, but it falls down when the destination is hosted in a cloud like AWS. I believe the FortiGate fails to get the full list of IPs that could be behind a given FQDN and traffic is randomly dropped at times.
We opened a ticket with support in the past and the recommend solution was to use a Web Filters instead, but this opens an entirely new set of issues. If I have a web filter with everything set to deny, except for a list of allowed URLS, processing of firewall policies stop at the policy with the web filter defined, and the server gets the Blocked by Fortigate Screen. What I would like is for the firewall to treat that policy as a no match and continue down the list of policies.
I'd prefer not to have one massive web filter for every external website. I'd like it to be granular and have one policy with a web filter to allow access to AV Updates, another policy with web filter for access to the SIEM, etc.
What is the best way to achieve this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @jokes54321
not completely sure what update servers are on your list, if some well known like Apple's / Microsoft's update services or some very custom ones.
But you might give it a shot and read a bit about Internet Services database and how to use such objects in policies.
More on that subject on : https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/849970/internet-services
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tom,
I appreciate the response. I tested policies using the Internet Services as a destination and the success with them has been hit or miss. A good example would be Rapid7. We're in process of deploying it now and I was happy to see an Internet Service for them, however the agents failed to install with this policy in place. It took setting up a packet capture and analyzing the DNS queries, then subsequent requests, to find the resource that couldn't be reached.
I'll research them in more depth as I do see them as a great benefit. Does anyone know if Fortinet has a portal that requests can be submitted to for ISDB updates? In the Rapid7 example above, I believe they need to add amazontrust.com so the agent install succeeds.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.