Gateway Mode Deployment

Configuring the virtual IPs

In order to create the firewall policy that forwards email-related traffic to the FortiMail unit, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the private IP address of the FortiMail unit by creating a virtual IP entry.

Similarly, in order to create the firewall policy that forwards POP3/IMAP-related traffic to the protected email server, you must first define a static NAT mapping from a public IP address on the FortiGate unit to the private IP address of the protected email server by creating a virtual IP entry.

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following and then click OK.
Name Enter a name to identify the virtual IP entry, such as FortiMail_VIP.
External Interface Select wan1.
Type Select Static NAT.
External IP

Address/Range

Enter 10.10.10.1.
Mapped IP

Address/Range

Enter 172.16.1.5.

To add a virtual IP for the protected email server

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following and then click OK.
Name Enter a name to identify the virtual IP entry, such as protected_email_server_VIP.
External Interface Select wan1.
Type Select Static NAT.
External IP

Address/Range

Enter 10.10.10.1.
Mapped IP

Address/Range

Enter 172.16.1.10.

Configuring the firewall policies

First, create a firewall policy that allows incoming FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other FortiMail connections from the FortiMail unit to the Internet.

Last, create a firewall policy that allows incoming POP3 and IMAP traffic that is received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the protected email server.

To add the Internet-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following and then click OK.

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

Select internal.
Destination Address

Name

Select FortiMail_VIP.
Schedule Select ALWAYS.
Service Select FortiMail_incoming_services.
Action Select ACCEPT.

To add the FortiMail-to-Internet policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select FortiMail_address.

Destination

Interface/zone

Select wan1.
Destination Address

Name

Select all.
Schedule Select ALWAYS.
Service Select FortiMail_outgoing_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the Internet-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following and then click OK.

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

Select internal.
Destination Address

Name

Select protected_email_server_VIP.
Schedule Select ALWAYS.
Service Select PO3_IMAP_services.
Action Select ACCEPT.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail (SMTP) server/MTA. For local email users, this is the private network IP address of the FortiMail unit, 172.16.1.5; for remote email users, this is the virtual IP on the FortiGate unit that maps to the FortiMail unit, 10.10.10.1 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email delivered to your protected email server can be scanned, but email outgoing from your email users cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Gateway Mode Deployment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.