Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhrth
New Contributor III

Created on ‎05-17-2022 05:56 PM Edited on ‎05-17-2022 05:56 PM

Whitelist Pentester IP Addresses

Hi,

 

My company is currently carrying out external pen testing on our servers and it was found out the nmap scan was blocked by FortiGate UTM. Is it possible to whitelist the IP addresses used by the pen testers? If possible, where should I whitelist those ip addresses?

 

 

Thank you.

Labels:
3967
0 Kudos
1 Solution
echo
Contributor II

Created on ‎05-19-2022 10:01 AM

I suggest to create a firewall policy above the others that allows traffic, where the source is pentesters IP or network and for the destination you group all the (tested) portforwards, either one by one or as members of a single group of portforwards (virtual IP's) -- the latter can be used for other purposes too and can be updated more conveniently in the future if a new portforward is added. Another way is to use "Exempt IP" feature inside the IPS profile but that will only work for the IPS then and not for other possibly used security profiles in portforwards' firewall rules.

View solution in original post

3952
0 Kudos
3 REPLIES 3
Anonymous
Not applicable

Created on ‎05-19-2022 08:46 AM

Hello @mhrth ,

 

Thank you for posting to the Fortinet Community Forum.

Can you confirm if you have a policy in place that is blocking this traffic?

Can you try to run a sniffer and see if the traffic is reaching FortiGate?

 

Go on CLI and enter the command to run sniffer.

>di sniffer packet any 'host <Public_IP_address_of_tester>' 4 0 l 

 

If you run the test and see the output on the above debug, which means that the traffic is reaching the FortiGate.

Thereafter run a packet capture to confirm where the traffic is getting blocked.

>di de flow filter addr <Public_IP_address_of_tester>
>di de flow trace start 9999

>di de en

 

Run the test again and gather the output.

Please share the output for the above and I can guide you to the next step.

If you have found the solution, then please share it with the Fortinet Community users.

 

You can also use the link for your reference:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Let us know if this helps.

 

Thanks

3933
0 Kudos
echo
Contributor II

Created on ‎05-19-2022 10:01 AM

I suggest to create a firewall policy above the others that allows traffic, where the source is pentesters IP or network and for the destination you group all the (tested) portforwards, either one by one or as members of a single group of portforwards (virtual IP's) -- the latter can be used for other purposes too and can be updated more conveniently in the future if a new portforward is added. Another way is to use "Exempt IP" feature inside the IPS profile but that will only work for the IPS then and not for other possibly used security profiles in portforwards' firewall rules.

3953
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-19-2022 11:27 AM

Check your FortiGate's IPv4 DoS Policy

AEK
AEK
3924
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.