FortiWAN Optional Services

Optional Services

As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways.

Firewall

This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones. [IPv4 Rules] and [IPv6 Rules] are for configurations of IPv4 and IPv6 respectively.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Firewall service, see “Log” and “Reports: Firewall”.

E Check the box to enable the rule
When Three options available: Busy hour, Idle hour and All-Time (See “Busyhour Settings”).
Source Packets sent from specified source will be matched (See “Using the web UI”).
Destination Packets sent to a specific destination will be matched. This field is the same as the “Source” field, except that packets are matched with specified destination (See “Using the web UI”).
Service The TCP/UDP service type to be matched. Select the matching criteria from publicly known service types (e.g. FTP), or enter the port number in TCP/UDP packets and specify the range.

Type the starting port number plus hyphen “-“ and then the ending port number. e.g.

“TCP@123-234” (See “Using the web UI”).

Action Choose the actions when the rule is matched: Accept: The firewall will let the matched packets pass. Deny: The firewall will drop the matched packets.
L Check to enable logging. Whenever the rule is matched, the system will record the event to the log file.

Default rules

By default, FortiWAN’s firewall enables the following IPv4/IPv6 rules to deny some accesses coming from the Internet, which might cause general security issues:

  1. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTP(80) & Action=Deny
  2. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTPS(443) & Action=Deny
  3. When=All-Time & Source=WAN & Destination=Localhost & Service=SSH(22) & Action=Deny
  4. When=All-Time & Source=WAN & Destination=Localhost & Service=SNMP(61) & Action=Deny

Firewall

  1. When=All-Time & Source=WAN & Destination=Localhost & Service=RIP(520) & Action=Deny
  2. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@139 & Action=Deny
  3. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@445 & Action=Deny
  4. When=All-Time & Source=WAN & Destination=Localhost & Service=TCP@5432 & Action=Deny
  5. When=All-Time & Source=Any Address & Destination=Any Address & Service=Any & Action=Accept

The ninth rule is fixed to be the last rule at the bottom for evaluation. Packets that do not match any other rule will match this rule and be accepted. This rule is unmodifiable. The second rule denies any HTTPS access to FortiWAN’s localhost from the Internet, which means it is unable to access to the Web UI through any WAN port. You can disable this rule or change Action to Accept to allow Web UI accessing throught WAN ports if no security issues are concerned. The sixth, seventh and eighth rules deny any access (coming from the Internet) of NetBIOS, Microsoft-DS Active Directory, Windows shares and Microsoft-DS SMB file sharing, and the Postgre SQL database system that FortiWAN uses for Reports.

Example 1

Rules for Filtering Packets l The users from the internet (WAN) can only access FTP Server 211.21.48.195 through port 21.

  • The users from LAN can access all servers and hosts on the internet (WAN) through port 25 (SMTP), port 80 (HTTP), port 21 (FTP), and port 110 (POP3).
  • All other packets are blocked.

The rules table for the example will look like this:

Firewall

Source Destination Service Action
WAN 211.21.48.195 FTP (21) Accept
WAN DMZ Any Deny
LAN WAN HTTP (80) Accept
LAN WAN SMTP (25) Accept
LAN WAN FTP (21) Accept
LAN WAN POP3 (110) Accept
LAN WAN Any Deny

Example 2

Rules for Filtering Packets l The users from the internet (WAN) can access server 211.21.48.195 inside DMZ through TCP port 7000. l The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot.

 

  • Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine. l Users from LAN can access FTP server 192.192.10.1 through port 21.
  • Users from the internet cannot ping FortiWAN . Note: To intercept ping messages, users can deny “ICMP” protocol in service type because ping is a type of “ICMP”. l Users from the LAN cannot access DMZ. l Users from the internet (WAN) cannot access LAN and DMZ.

The rules table for the example will look like this:

Source Destination Service Action
WAN 211.21.48.195 TCP@7000 Accept
192.168.0.100-

192.168.0.150

WAN Any Accept
WAN Localhost TCP@443 Deny
LAN 192.192.10.1 FTP (21) Accept
WAN Localhost ICMP Deny
LAN DMZ Any Deny
WAN DMZ Any Deny
WAN LAN Any Deny

See also

l Busyhour Settings l Using the web UI l Reports: Firewall

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.