Restrict Internet Access with Fortigate 60 Router

Posted on 2008-10-17
Last Modified: 2012-08-13
Fortigate 60 Routers are used throughout our WAN.  We have approximately 15 computers on the LAN side of each Fortigate at 5 different locations.  Users have begun to abuse their freedom to access the internet and we need to limit their access.  We currently have a domain server that all users must reach in order to complete their work.  We use Terminal Services on the Server and Remote Desktop Connection to reach it from the clients.  This is the only internet traffic that we must allow.  Can we restrict all other traffic by utilizing controls offered by the Fortigate 60?
Question by:baleman2
  • 3
  • 2
LVL 32

Expert Comment

ID: 22751456
You can configure firewall policy depending on which ports/protocols need to be allowed.

Let's say you want to allow remote desktop on HTTP as well as through the RDP-client [default: TCP 3389]; further all other traffic anywhere on the internet including HTTPS/FTP etc traffic must be blocked; then we configure the policy as below:
Go to Firewall > Policy; click New; under Source Interface/Zone set it to "Internal"; in source address set it to "all"; under destination Interface/Zone set it to "External"; we would configure different destination address, service and action as listed below; schedule "Always"

Policy 1 -- this policy allows access to remote server on HTTP
Destination address: here you can specify the server IP address(es) one by one or you can first add a firewall address and then select them from the drop-down list; service would be HTTP; Action would be ACCEPT

Policy 2 -- this policy allows access to remote server on TCP 3389 port [default port for RDP]
Here again, destination address would be as above; service would be a custom service for TCP protocol on port 3389 which you should have added earlier; and Action would be ACCEPT.

Policy 3 -- this policy denies all other traffic
Here destination address would be "all"; service would be "ANY"' action would be DENY.

Please let know if you need more details.

Thank you.

Author Comment

ID: 22752253
Do these policies cover all "outgoing" traffic to the server and allow "incoming" traffic from the Server?  
As remote administrator I use Remote Desktop Connection to "take" control of client PC's on occasion in order to do support work.  I have policies setup in the Fortigate now to allow this.  However, each of the PC's on the LAN have been configured (via modification of System Registry) to "listen" on different ports, i.e., 3390, 3391, 3392, etc.  That way, I have a different RDC connection, etc. for each client PC I need to reach.   Having already done this, haven't I already satisfied the requirements of Policy 2?
LVL 32

Accepted Solution

dpk_wal earned 500 total points
ID: 22752513
These are only outgoing services; all corresponding traffic would be allowed in without need of any incoming service. Incoming service is only needed is there would be any traffic through would generate from the server side to the client side [which I doubt would happen; per your original comment clients always initiate connection to server ].

You are correct; policy 2 is condition is already configured by you.

Now you need to have the third policy in place; please note the policy ordering is very important as the policy are applied from top to bottom; so we should have the policy order as:
policy 1
policy 2
policy 3

So, policy 1 and 2 would allow the HTTP and TCP traffic first; and then policy 3 would deny any further traffic.

Thank you.

Author Closing Comment

ID: 31507136
Thanks, dpk wal.  Your solution worked perfectly!!!!
LVL 32

Expert Comment

ID: 22754638
Happy I could be of assistance! :)

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISP Change 14 63
Allow IP range in sonicwall 1 25
Linksys e2500 wireless router - should I upgrade 6 44
Cisco ASA 5512-X Active/Standby HA 4 25
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question