- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Firewall Policies Not Applying Properly to VIP (Fo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Policies Not Applying Properly to VIP (Fortigate 100A)
Hello All,
I have a Fortigate 100A (yeah I know it's old but it is in great shape with low hours on it). Firmware VersionFortigate-100A 3.00,build0247,060417
I have a virtual IP set up to allow access to our mail server on the inside and created Firewall policies to allow SMTP traffic to pass through to the email server inside IP.
The only problem is that no matter what I do it will not work unless I add TCP to the list of services in the policy and that opens up all the ports. I have tried everything I can to set deny rules etc... but nothing works.
Really need some guidance on this one as I come from Cisco and I am trying to get a handle on what is happening with the firewall policies and why I cannot seem to open ports selectively.
I tries to reorder them putting the restrictive policies at the top or the bottom of the list but nothing seems to work.
Thanks in advance.
Sean
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up finding the solution.
When setting up Custom Service ports under Services in the Firewall tab, you need to make sure that you set the source port to High 1 Low 65535 and then set the destination port to the whatever you desire to allow through the firewall (in my case port 26 and 587).
I hope this helps anyone else running into the same issue.
Sean
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
Usually, for a specific forwarding like this, you would use a port forwarding VIP. This opens one port only, not the 'service' choice in the policy.
A VIP is twofold: 1- a destination NAT and 2- arp proxy. The FGT will react to connection attempts on those forwarded ports only. If you need multiple ports, create one VIP for each and put them into a VIP group which you then use in a policy 'wan' -> 'internal'. Best practice: if you can use port forwarding VIPs to minimize the attack surface. Note that you cannot test a pfVIP (new word!) with 'ping' (obviously).
Getting a DENY policy to work in presence of a VIP policy is not straightforward. You can find an interesting thread here in the forum. But I don't think that this is the source of your problem.
Which then leads to my question: could you please post the VIP definition and the corresponding policy (text, from the CLI, if possible)? I don't quite understand what you mean with 'adding TCP' as SMTP already is a TCP protocol. We'll see.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
Thank you for your reply and the info.
I just meant that when I created the firewall policy my custom services would not work unless I added TCP to the services under in the policy, which that service TCP opens all of the TCP ports up wide, which would be helpful if the Fortigate was already behind a firewall and you wanted to open everything up between your LANS, but not so good if you are WAN facing like my situation. The failure was happening because I was creating the custom services wrong.
I am in the middle of about 3 deployments right now and so slammed, but when I get time I will post a little more detail about how I configure it all.
Thanks again,
Sean
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
My config is pretty straight forward:
I have DUAL WAN connections both serving the office for redundancy.
I have an internal Exchange Server. It serves POP3, IMAP / SMTP OWA and also VPN Exchange connections.
I created VIPs for both external IP addresses of the email server mapping to the same internal IP Address.
I then created Custom Services for the alt smtp ports 26 and 587. Port 25 is used by only our spam filtering service as all inbound mail goes through their server first. So my Exchange Connection Control is limited to port 25 connections only from their servers.
I then created Service Groups (under Firewall > Services) 1. SpamFilter - SMTP 2. POP3Users SMTP-26,SMTP-587,IMAP,POP3,HTTPS
I then created Firewall Policies:
wan -> internal
SRC Dest Sched Service Action 7 all Enterprise Wan 2 always POP3_Users ACCEPT 3 SpamFilter Enterprise Wan 2 always SpamFilter_Ports ACCEPT
Also to further lock down SMTP 25 to my spam filter services server I created an Address Group with only the Spam Filter servier's IP Addresses in it, and set that in the Source of that policy.
I ran port scans and test connects on everything and it is locked down so I think I am good.
The only issue I was having was that I had set the Custom Service ports up incorrectly, once I fixed that everything worked as it should.
Thanks again for your insights.
Sean
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the details, you're welcome anytime.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
Labels
-
FortiGate
6,501 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.