Solved

Restrict Internet Access with Fortigate 60 Router

Posted on 2008-10-17
5
1,550 Views
Last Modified: 2012-08-13
Fortigate 60 Routers are used throughout our WAN.  We have approximately 15 computers on the LAN side of each Fortigate at 5 different locations.  Users have begun to abuse their freedom to access the internet and we need to limit their access.  We currently have a domain server that all users must reach in order to complete their work.  We use Terminal Services on the Server and Remote Desktop Connection to reach it from the clients.  This is the only internet traffic that we must allow.  Can we restrict all other traffic by utilizing controls offered by the Fortigate 60?
0
Comment
Question by:baleman2
  • 3
  • 2
5 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
You can configure firewall policy depending on which ports/protocols need to be allowed.

Let's say you want to allow remote desktop on HTTP as well as through the RDP-client [default: TCP 3389]; further all other traffic anywhere on the internet including HTTPS/FTP etc traffic must be blocked; then we configure the policy as below:
Go to Firewall > Policy; click New; under Source Interface/Zone set it to "Internal"; in source address set it to "all"; under destination Interface/Zone set it to "External"; we would configure different destination address, service and action as listed below; schedule "Always"

Policy 1 -- this policy allows access to remote server on HTTP
Destination address: here you can specify the server IP address(es) one by one or you can first add a firewall address and then select them from the drop-down list; service would be HTTP; Action would be ACCEPT

Policy 2 -- this policy allows access to remote server on TCP 3389 port [default port for RDP]
Here again, destination address would be as above; service would be a custom service for TCP protocol on port 3389 which you should have added earlier; and Action would be ACCEPT.

Policy 3 -- this policy denies all other traffic
Here destination address would be "all"; service would be "ANY"' action would be DENY.

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:baleman2
Comment Utility
Do these policies cover all "outgoing" traffic to the server and allow "incoming" traffic from the Server?  
Also,
As remote administrator I use Remote Desktop Connection to "take" control of client PC's on occasion in order to do support work.  I have policies setup in the Fortigate now to allow this.  However, each of the PC's on the LAN have been configured (via modification of System Registry) to "listen" on different ports, i.e., 3390, 3391, 3392, etc.  That way, I have a different RDC connection xxx.xxx.xxx.xxx:3390, etc. for each client PC I need to reach.   Having already done this, haven't I already satisfied the requirements of Policy 2?
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
These are only outgoing services; all corresponding traffic would be allowed in without need of any incoming service. Incoming service is only needed is there would be any traffic through would generate from the server side to the client side [which I doubt would happen; per your original comment clients always initiate connection to server ].

You are correct; policy 2 is condition is already configured by you.

Now you need to have the third policy in place; please note the policy ordering is very important as the policy are applied from top to bottom; so we should have the policy order as:
policy 1
policy 2
policy 3

So, policy 1 and 2 would allow the HTTP and TCP traffic first; and then policy 3 would deny any further traffic.

Thank you.
0
 

Author Closing Comment

by:baleman2
Comment Utility
Thanks, dpk wal.  Your solution worked perfectly!!!!
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Happy I could be of assistance! :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now