- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Which is more secure—Services and/or Address—for w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which is more secure—Services and/or Address—for whitelist Policy?
I am trying to poke a hole to allow Spotify. I managed to set two services in a new policy, which was successful:
TCP/UDP/SCTP
78.31.8.0-78.31.15.255
TCP 4070
TCP/UDP/SCTP
193.182.8.0-193.182.15.255
TCP 4070
In the policy's Destination field, do I need to limit the Destination to the same address ranges to be safe? I'm confused as to whether specifying an IP range in the Service makes specifying a destination unnecessary. Thanks.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dan,
Sorry for the confusion. I was simply suggesting that IF you intended to create a separate policy for Spotify traffic, you can do two things.
[ol]The reason I believe #2 to be superior is because it's easier to understand when you're looking at the policy listings and will probably help avoid confusion for you or others down the road. The IP restriction doesn't show up in the tooltip for a service, so you might want to make sure to include it in the comments for that service.
You certainly can do #1 and it will work great, or you could do #3: use IP restrictions in BOTH the service and destination addresses, but that's just redundant and maybe more likely to cause confusion.
Finally, I'll say that if you weren't wanting to create a separate policy but maybe to just add the Spotify service to an existing general outbound policy, then you should do what you were planning in #1.
Thanks - Daniel
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dan,
Nice username, ha! Welcome to the forums. Specifying the IP/FQDN in the service does make specifying the destination in a policy unnecessary.
If you're creating a policy specifically for Spotify, I would remove the destination in the service definition and add it as destination addresses. Where it comes in handy to add it in the service is if you have a policy to allow general outbound traffic (destination "all") and you want to bundle something like this with it.
For example we do not allow outbound DNS traffic from user workstations (they must use our local DNS) with the exception of 8.8.8.8 for the occasional test nslookup. So I created a special Google-DNS service with UDP 53 and destination 8.8.8.8 and bundled it with my StandardOutboundPorts service group to attach to most of our policies.
Hope this helps. - Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lobstercreed wrote:Many thanks for your reply. I'm new at this, and not a network engineer.Hey Dan,
Nice username, ha! Welcome to the forums. Specifying the IP/FQDN in the service does make specifying the destination in a policy unnecessary.
If you're creating a policy specifically for Spotify, I would remove the destination in the service definition and add it as destination addresses. Where it comes in handy to add it in the service is if you have a policy to allow general outbound traffic (destination "all") and you want to bundle something like this with it.
For example we do not allow outbound DNS traffic from user workstations (they must use our local DNS) with the exception of 8.8.8.8 for the occasional test nslookup. So I created a special Google-DNS service with UDP 53 and destination 8.8.8.8 and bundled it with my StandardOutboundPorts service group to attach to most of our policies.
Hope this helps. - Daniel
Let me see if I understand: If I want a specific Spotify policy, I should make Addresses instead (to be instantiated in the DESTINATION field, and remove the Services), right?
Unless I'm wrong (I'm no longer in front of it, so I can't check) I don't recall being able to specify TCP ports in Addresses, which could spell trouble. I'll give it a shot first thing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dan,
Sorry for the confusion. I was simply suggesting that IF you intended to create a separate policy for Spotify traffic, you can do two things.
[ol]The reason I believe #2 to be superior is because it's easier to understand when you're looking at the policy listings and will probably help avoid confusion for you or others down the road. The IP restriction doesn't show up in the tooltip for a service, so you might want to make sure to include it in the comments for that service.
You certainly can do #1 and it will work great, or you could do #3: use IP restrictions in BOTH the service and destination addresses, but that's just redundant and maybe more likely to cause confusion.
Finally, I'll say that if you weren't wanting to create a separate policy but maybe to just add the Spotify service to an existing general outbound policy, then you should do what you were planning in #1.
Thanks - Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel,
Thanks again, I get it now. That all makes sense. Tomorrow I'll weigh whether I want to roll it into a general whitelist policy or keep it separate for flexibility. I think you're right about #2, though. A bit visually cleaner. Much appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestion, why not use application control? Spotify falls into video/music and should be easily id . This would be the most secure way to control the application.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning.
I wondered about Application Control and I'd be glad of any wisdom about configuring it. Please tell me if I'm doing this right: I duplicated the Default profile, found Spotify, added it to the Application and Filter Overrides and set it to ALLOW. Now I have to turn on this profile in my whitelist policy.
I'm a one-man corporation, so I don't need apps to be blocked per se... I trust myself implicitly, so if I'm imposing overly-Draconian measures, that wouldn't be necessary.
Is that all I should have to do? If I enable App Control, do I also need to hold onto the IP and Port-based rules or are they obviated? So far, I've learned a ton on this forum in one day. Many thanks.
Dan
Related Posts
- FortiClient VPN permission error on MacOS 456 Views
- Reputable websites FortiGate 137 Views
- ztna 246 Views
- Unrated IP blocked by webfilter 441 Views
- DMZ or IP Whitelisting 472 Views
Labels
-
FortiGate
6,610 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
74 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.