Security – Fortigate 40c Firewall Configuration

dmzfirewallfortinetnetworkingSecurity

Does anybody know if is it possible to Un-bridge ports on forgiate 40c?

I want to use the fortigate 40c to define and control (block/allow) port traffic for the following 4 ip ranges (each ip range belongs to a different server).

port1 – 212.100.XXX.XXX
port2 – 63.245.XXX.XXX
port3 – 98.139.XXX.XXX
port4 – 74.125.XXX.XXX
port5 – 216.246.XXX.XXX

Best Answer

not sure about your Fortigate HW 40C, but generally on Fortigate devices you need convert form Switching mode to Interface mode, for example by submitting CLI commands:

config system global
set internal-switch-mode interface
end

But prior this, you need clear/remove all configuration entries where "switch" is mentioned. Typically: default firewall policy and DHCP setting on "Switch" interface.

BR Jan

Related Solutions

Security – Fortigate Firewall – DMZ vs Interface ports

A DMZ is just a network design term that means that the network is firewalled in a way that it can not initiate traffic into a protected network. There isn't anything special about the port or that network for that matter. Although a port that's marked as DMZ from the firewall's software point of view may have different default firewall rule applied to it.

I don't know about the 50b but with the 60b you can unbridge all the internal ports and run different networks on each port. The firewall rules and all the other features of the FortiGate work fine between these networks. I used this approach to have multiple DMZs using a FortiGate 60b a couple years back. So I don't see any reason that this wouldn't work.

Iptables – How to block all traffic to/from an bridged interface while allowing DHCP

Yes, you need ebtables to apply netfilter rules on a bridge.

The match rule is ip with parameters --ip-source-port and --ip-destination-port.

You'd configure ebtables to allow the traffic you want, then an explicit drop for any other traffic.

The DHCP client port is UDP 68, the DHCP server port is UDP 67.

I believe the correct command syntax and order would be:

ebtables -I INPUT -i eth0 -o eth0 -p ip -j DROP
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 68 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 68 -j ACCEPT
ebtables-save

Best Answer

Related Solutions

Security – Fortigate Firewall – DMZ vs Interface ports

Iptables – How to block all traffic to/from an bridged interface while allowing DHCP

Related Topic