Restrict Internet Access with Fortigate 60 Router

Posted on 2008-10-17
Last Modified: 2012-08-13
Fortigate 60 Routers are used throughout our WAN.  We have approximately 15 computers on the LAN side of each Fortigate at 5 different locations.  Users have begun to abuse their freedom to access the internet and we need to limit their access.  We currently have a domain server that all users must reach in order to complete their work.  We use Terminal Services on the Server and Remote Desktop Connection to reach it from the clients.  This is the only internet traffic that we must allow.  Can we restrict all other traffic by utilizing controls offered by the Fortigate 60?
Question by:baleman2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 32

Expert Comment

ID: 22751456
You can configure firewall policy depending on which ports/protocols need to be allowed.

Let's say you want to allow remote desktop on HTTP as well as through the RDP-client [default: TCP 3389]; further all other traffic anywhere on the internet including HTTPS/FTP etc traffic must be blocked; then we configure the policy as below:
Go to Firewall > Policy; click New; under Source Interface/Zone set it to "Internal"; in source address set it to "all"; under destination Interface/Zone set it to "External"; we would configure different destination address, service and action as listed below; schedule "Always"

Policy 1 -- this policy allows access to remote server on HTTP
Destination address: here you can specify the server IP address(es) one by one or you can first add a firewall address and then select them from the drop-down list; service would be HTTP; Action would be ACCEPT

Policy 2 -- this policy allows access to remote server on TCP 3389 port [default port for RDP]
Here again, destination address would be as above; service would be a custom service for TCP protocol on port 3389 which you should have added earlier; and Action would be ACCEPT.

Policy 3 -- this policy denies all other traffic
Here destination address would be "all"; service would be "ANY"' action would be DENY.

Please let know if you need more details.

Thank you.

Author Comment

ID: 22752253
Do these policies cover all "outgoing" traffic to the server and allow "incoming" traffic from the Server?  
As remote administrator I use Remote Desktop Connection to "take" control of client PC's on occasion in order to do support work.  I have policies setup in the Fortigate now to allow this.  However, each of the PC's on the LAN have been configured (via modification of System Registry) to "listen" on different ports, i.e., 3390, 3391, 3392, etc.  That way, I have a different RDC connection, etc. for each client PC I need to reach.   Having already done this, haven't I already satisfied the requirements of Policy 2?
LVL 32

Accepted Solution

dpk_wal earned 500 total points
ID: 22752513
These are only outgoing services; all corresponding traffic would be allowed in without need of any incoming service. Incoming service is only needed is there would be any traffic through would generate from the server side to the client side [which I doubt would happen; per your original comment clients always initiate connection to server ].

You are correct; policy 2 is condition is already configured by you.

Now you need to have the third policy in place; please note the policy ordering is very important as the policy are applied from top to bottom; so we should have the policy order as:
policy 1
policy 2
policy 3

So, policy 1 and 2 would allow the HTTP and TCP traffic first; and then policy 3 would deny any further traffic.

Thank you.

Author Closing Comment

ID: 31507136
Thanks, dpk wal.  Your solution worked perfectly!!!!
LVL 32

Expert Comment

ID: 22754638
Happy I could be of assistance! :)

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question