Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bakershack
New Contributor

Please Help - Policies

I have set up my Fortigate 60F (FW 6.4.3) on our small office network.  I created a Full Access policy that basically allows everything (but still filters for AV, WEB, APP, IPS, SSL) and have created several explicit policies for HTTP/HTTPS, NTP, DNS, SNMP/PING out (but not in), a pinhole for a specific ODBC message we need, and a policy I call Explicitly Allowed Apps for Microsoft, Google, Apple, and other FortiGuard apps in their database.

 

Full Access is checked LAST, right before IMPLICIT DENY.

 

My intention is to identify and allow all good traffic explicitly, and then disable Full Access once that's done.  That's where my question comes in.  

 

There are a few things that are legitimate, still allowed only through the Full Access policy:

- UDP/443 access to some client sites

- SSL_TLSv1.2 access to legitimate sites

- ISAKMP application is being used as well

- DTLS

- QUIC

- RTCP

- STUN

 

What is the best way to explicitly allow this traffic safely?  I don't want to limit the access to just one site - those apps/protocols may legitimately be used in the same way for other legitimate web sites.  Is it OK to just allow all ISAKMP, TLSv1.2, etc. traffic for any of the listed applications?  We do NOT want to get draconian in our policies, limiting our users to a very limited number of allowable sites.  We just want to protect our network.

 

TIA for your help.

Kelly

 

 

0 REPLIES 0
Labels
Top Kudoed Authors