Optional Services
As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways.
Firewall
This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones. [IPv4 Rules] and [IPv6 Rules] are for configurations of IPv4 and IPv6 respectively.
FortiWAN provides mechanisms to record, notify and analysis on events refer to the Firewall service, see “Log” and “Reports: Firewall”.
| E | Check the box to enable the rule |
| When | Three options available: Busy hour, Idle hour and All-Time (See “Busyhour Settings”). |
| Source | Packets sent from specified source will be matched (See “Using the web UI”). |
| Destination | Packets sent to a specific destination will be matched. This field is the same as the “Source” field, except that packets are matched with specified destination (See “Using the web UI”). |
| Service | The TCP/UDP service type to be matched. Select the matching criteria from publicly known service types (e.g. FTP), or enter the port number in TCP/UDP packets and specify the range.
Type the starting port number plus hyphen “-“ and then the ending port number. e.g. “TCP@123-234” (See “Using the web UI”). |
| Action | Choose the actions when the rule is matched: Accept: The firewall will let the matched packets pass. Deny: The firewall will drop the matched packets. |
| L | Check to enable logging. Whenever the rule is matched, the system will record the event to the log file. |
Default rules
By default, FortiWAN’s firewall enables the following IPv4/IPv6 rules to deny some accesses coming from the Internet, which might cause general security issues:
- When=All-Time & Source=WAN & Destination=Localhost & Service=HTTP(80) & Action=Deny
- When=All-Time & Source=WAN & Destination=Localhost & Service=HTTPS(443) & Action=Deny
- When=All-Time & Source=WAN & Destination=Localhost & Service=SSH(22) & Action=Deny
- When=All-Time & Source=WAN & Destination=Localhost & Service=SNMP(61) & Action=Deny
Firewall
- When=All-Time & Source=WAN & Destination=Localhost & Service=RIP(520) & Action=Deny
- When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@139 & Action=Deny
- When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@445 & Action=Deny
- When=All-Time & Source=WAN & Destination=Localhost & Service=TCP@5432 & Action=Deny
- When=All-Time & Source=Any Address & Destination=Any Address & Service=Any & Action=Accept
The ninth rule is fixed to be the last rule at the bottom for evaluation. Packets that do not match any other rule will match this rule and be accepted. This rule is unmodifiable. The second rule denies any HTTPS access to FortiWAN’s localhost from the Internet, which means it is unable to access to the Web UI through any WAN port. You can disable this rule or change Action to Accept to allow Web UI accessing throught WAN ports if no security issues are concerned. The sixth, seventh and eighth rules deny any access (coming from the Internet) of NetBIOS, Microsoft-DS Active Directory, Windows shares and Microsoft-DS SMB file sharing, and the Postgre SQL database system that FortiWAN uses for Reports.
Example 1
Rules for Filtering Packets l The users from the internet (WAN) can only access FTP Server 211.21.48.195 through port 21.
- The users from LAN can access all servers and hosts on the internet (WAN) through port 25 (SMTP), port 80 (HTTP), port 21 (FTP), and port 110 (POP3).
- All other packets are blocked.
The rules table for the example will look like this:
Firewall
| Source | Destination | Service | Action |
| WAN | 211.21.48.195 | FTP (21) | Accept |
| WAN | DMZ | Any | Deny |
| LAN | WAN | HTTP (80) | Accept |
| LAN | WAN | SMTP (25) | Accept |
| LAN | WAN | FTP (21) | Accept |
| LAN | WAN | POP3 (110) | Accept |
| LAN | WAN | Any | Deny |
Example 2
Rules for Filtering Packets l The users from the internet (WAN) can access server 211.21.48.195 inside DMZ through TCP port 7000. l The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot.
- Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine. l Users from LAN can access FTP server 192.192.10.1 through port 21.
- Users from the internet cannot ping FortiWAN . Note: To intercept ping messages, users can deny “ICMP” protocol in service type because ping is a type of “ICMP”. l Users from the LAN cannot access DMZ. l Users from the internet (WAN) cannot access LAN and DMZ.
The rules table for the example will look like this:
| Source | Destination | Service | Action |
| WAN | 211.21.48.195 | TCP@7000 | Accept |
| 192.168.0.100-
192.168.0.150 |
WAN | Any | Accept |
| WAN | Localhost | TCP@443 | Deny |
| LAN | 192.192.10.1 | FTP (21) | Accept |
| WAN | Localhost | ICMP | Deny |
| LAN | DMZ | Any | Deny |
| WAN | DMZ | Any | Deny |
| WAN | LAN | Any | Deny |
See also
l Busyhour Settings l Using the web UI l Reports: Firewall
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!