• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2095
  • Last Modified:

Restrict Internet Access with Fortigate 60 Router

Fortigate 60 Routers are used throughout our WAN.  We have approximately 15 computers on the LAN side of each Fortigate at 5 different locations.  Users have begun to abuse their freedom to access the internet and we need to limit their access.  We currently have a domain server that all users must reach in order to complete their work.  We use Terminal Services on the Server and Remote Desktop Connection to reach it from the clients.  This is the only internet traffic that we must allow.  Can we restrict all other traffic by utilizing controls offered by the Fortigate 60?
0
baleman2
Asked:
baleman2
  • 3
  • 2
1 Solution
 
dpk_walCommented:
You can configure firewall policy depending on which ports/protocols need to be allowed.

Let's say you want to allow remote desktop on HTTP as well as through the RDP-client [default: TCP 3389]; further all other traffic anywhere on the internet including HTTPS/FTP etc traffic must be blocked; then we configure the policy as below:
Go to Firewall > Policy; click New; under Source Interface/Zone set it to "Internal"; in source address set it to "all"; under destination Interface/Zone set it to "External"; we would configure different destination address, service and action as listed below; schedule "Always"

Policy 1 -- this policy allows access to remote server on HTTP
Destination address: here you can specify the server IP address(es) one by one or you can first add a firewall address and then select them from the drop-down list; service would be HTTP; Action would be ACCEPT

Policy 2 -- this policy allows access to remote server on TCP 3389 port [default port for RDP]
Here again, destination address would be as above; service would be a custom service for TCP protocol on port 3389 which you should have added earlier; and Action would be ACCEPT.

Policy 3 -- this policy denies all other traffic
Here destination address would be "all"; service would be "ANY"' action would be DENY.

Please let know if you need more details.

Thank you.
0
 
baleman2Author Commented:
Do these policies cover all "outgoing" traffic to the server and allow "incoming" traffic from the Server?  
Also,
As remote administrator I use Remote Desktop Connection to "take" control of client PC's on occasion in order to do support work.  I have policies setup in the Fortigate now to allow this.  However, each of the PC's on the LAN have been configured (via modification of System Registry) to "listen" on different ports, i.e., 3390, 3391, 3392, etc.  That way, I have a different RDC connection xxx.xxx.xxx.xxx:3390, etc. for each client PC I need to reach.   Having already done this, haven't I already satisfied the requirements of Policy 2?
0
 
dpk_walCommented:
These are only outgoing services; all corresponding traffic would be allowed in without need of any incoming service. Incoming service is only needed is there would be any traffic through would generate from the server side to the client side [which I doubt would happen; per your original comment clients always initiate connection to server ].

You are correct; policy 2 is condition is already configured by you.

Now you need to have the third policy in place; please note the policy ordering is very important as the policy are applied from top to bottom; so we should have the policy order as:
policy 1
policy 2
policy 3

So, policy 1 and 2 would allow the HTTP and TCP traffic first; and then policy 3 would deny any further traffic.

Thank you.
0
 
baleman2Author Commented:
Thanks, dpk wal.  Your solution worked perfectly!!!!
0
 
dpk_walCommented:
Happy I could be of assistance! :)
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now