Avatar of dxbdxb2009
dxbdxb2009 asked on

Firewall Policy...

Hi EEs,    

We have to install the network firewall, (Fortigate) for which I have to give a small check list to my vendors before starting the implementation,

Here with i am enclosing one small checklist for you experts to comments & advice me on it.

Kindly add if these are okay or if you experts can advice more...

thanks in advance...
Hardware FirewallsNetwork ArchitectureNetwork Security

Avatar of undefined
Last Comment

8/22/2022 - Mon

Anyone pls advice...

There is nothing called an universal firewall rule. Rules are based on corporate policies usually some security audit guidelines. Seeing the list looks like it's an amalgamation from different sources. The points can go upto well beyond 100.

However, you might need to check the list of locked Ip's and services because they list many ports which we keep generally open. You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc.  You should discuss with the vendor about your design and the required filtering of traffic.

It's looking too much formal and probably unworkable to me. If you apply your list, it will block everything.

Generally the vendors should be able to give you a small checklist to start with and gradually it should be built up as per the need.



Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

@ surbabu140977 ;

"an universal firewall rule...." agreed, but can you share some link where i can see some example of such rule which can be opted for mine,

" You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc......." what all i need to consider to be blocked....pls advice..


@ Soulja : thanks for your reply...

you are correct this is going to be at edge of this network...
Kindly share any good links of the port I must block for all incoming traffic ....would really appreciate...

i think we even no need of allowing http/https; as we don't have any web server at all,
for VPN, yes we must open for incoming traffice as we will have some VPN users,
good advice for SSH...will put one note for vendor to consider SSH, thanks,

-Yes you will want to block the private and not routables from coming inbound to the firewall = meaning non of incoming packate will be allowed from outside the network with private IPs (including...10x.x.x / 172.16.x.x / 192.168.x.x) Correct?

-Don't allow telnet, use SSH only = Noted, thanks
-Don't allow FTP unless you are using SFTP = Noted this as well,

Can you advice If I can just host SFTP directly on my SAN (NetApp FAS 2240)? so this way i will not have to keep additional windows FTP server,
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

You got the approach in a totally wrong way........ you are trying to generalize something which you think can be applied. Please do not "think". Firewall rules are a requirement and should by guided by a definite policy with a business requirement.

If you are a business guy, define your business goal and let the IT person design it for you.

If you are an IT guy, outline your IT business needs and let a security guy do it for you..

 You do not get a security config in any forum.

Below is a standard and accepted guideline from the NIST, USA that should help you a bit. Please note actual implementations may vary widely as per the requirement compared to what is defined in the guideline.




I assume this firewall will be on the edge of your network = Yes it is
you will want to block most of those ports for inbound traffic = Yes; you are correct,

Anything specific to be consider for bocking & allowing...pls comment on it...

@ surbabu140977 : thanks for the above link...

would really appreciate if you can provide me some more like including some good templates/examples...

many thanks in advance..