Restrict Internet Access with Fortigate 60 Router

Posted on 2008-10-17
Medium Priority
Last Modified: 2012-08-13
Fortigate 60 Routers are used throughout our WAN.  We have approximately 15 computers on the LAN side of each Fortigate at 5 different locations.  Users have begun to abuse their freedom to access the internet and we need to limit their access.  We currently have a domain server that all users must reach in order to complete their work.  We use Terminal Services on the Server and Remote Desktop Connection to reach it from the clients.  This is the only internet traffic that we must allow.  Can we restrict all other traffic by utilizing controls offered by the Fortigate 60?
Question by:baleman2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 32

Expert Comment

ID: 22751456
You can configure firewall policy depending on which ports/protocols need to be allowed.

Let's say you want to allow remote desktop on HTTP as well as through the RDP-client [default: TCP 3389]; further all other traffic anywhere on the internet including HTTPS/FTP etc traffic must be blocked; then we configure the policy as below:
Go to Firewall > Policy; click New; under Source Interface/Zone set it to "Internal"; in source address set it to "all"; under destination Interface/Zone set it to "External"; we would configure different destination address, service and action as listed below; schedule "Always"

Policy 1 -- this policy allows access to remote server on HTTP
Destination address: here you can specify the server IP address(es) one by one or you can first add a firewall address and then select them from the drop-down list; service would be HTTP; Action would be ACCEPT

Policy 2 -- this policy allows access to remote server on TCP 3389 port [default port for RDP]
Here again, destination address would be as above; service would be a custom service for TCP protocol on port 3389 which you should have added earlier; and Action would be ACCEPT.

Policy 3 -- this policy denies all other traffic
Here destination address would be "all"; service would be "ANY"' action would be DENY.

Please let know if you need more details.

Thank you.

Author Comment

ID: 22752253
Do these policies cover all "outgoing" traffic to the server and allow "incoming" traffic from the Server?  
As remote administrator I use Remote Desktop Connection to "take" control of client PC's on occasion in order to do support work.  I have policies setup in the Fortigate now to allow this.  However, each of the PC's on the LAN have been configured (via modification of System Registry) to "listen" on different ports, i.e., 3390, 3391, 3392, etc.  That way, I have a different RDC connection xxx.xxx.xxx.xxx:3390, etc. for each client PC I need to reach.   Having already done this, haven't I already satisfied the requirements of Policy 2?
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 22752513
These are only outgoing services; all corresponding traffic would be allowed in without need of any incoming service. Incoming service is only needed is there would be any traffic through would generate from the server side to the client side [which I doubt would happen; per your original comment clients always initiate connection to server ].

You are correct; policy 2 is condition is already configured by you.

Now you need to have the third policy in place; please note the policy ordering is very important as the policy are applied from top to bottom; so we should have the policy order as:
policy 1
policy 2
policy 3

So, policy 1 and 2 would allow the HTTP and TCP traffic first; and then policy 3 would deny any further traffic.

Thank you.

Author Closing Comment

ID: 31507136
Thanks, dpk wal.  Your solution worked perfectly!!!!
LVL 32

Expert Comment

ID: 22754638
Happy I could be of assistance! :)

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question