FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 191173

Description
This article describes a solution to limit the number of Firewall Policies by grouping IP addresses if the same filtering rule(s) can be applied to those addresses.

Scenario

Internet SMTP Server1 === external [ FortiGate] internal ==
Internet SMTP Server2 ===
Internet SMTP Server3 ===


All 3 servers are subject to the same Firewall Rule on the FortiGate, from external to internal.
Solution

There are three solutions to set the firewall policies for this scenario (the rule will be based on the 3 source IP addresses):
  • Create as many distinct firewall policies with distinct source address in each.
  • Create a single firewall policy with multiple sources (example 1).
  • Create an address group that can be used in a single firewall policy (example 2).

Example 1

config firewall address
edit "Internet_SMTP1"
set subnet <IPaddress1 Mask1>
next
edit "Internet_SMTP2"
set subnet <IPaddress2 Mask2>
next
edit "Internet_SMTP3"
set subnet <IPaddress3 Mask3>
next
end

config firewall policy
edit 0
set srcintf "external"
set dstintf "internal"
set srcaddr "Internet_SMTP1" "Internet_SMTP2" "Internet_SMTP3"
<set all the rest based on your requirements>
next
end



Example 2

config firewall address
edit "Internet_SMTP1"
set subnet <IPaddress1 Mask1>
next
edit "Internet_SMTP2"
set subnet <IPaddress2 Mask2>
next
edit "Internet_SMTP3"
set subnet <IPaddress3 Mask3>
next
end

config firewall addrgrp
edit "External_SMTP_servers"
set member "Internet_SMTP1" "Internet_SMTP2" "Internet_SMTP3"
next
end

config firewall policy
edit 0
set srcintf "external"
set dstintf "internal"
set srcaddr "External_SMTP_servers"
<set all the rest based on your requirements>
next
end

 

Related Articles

Technical Note : Configuring a Firewall Policy which is valid only at certain days or hours by using...

Technical Tip : configuring a Firewall Policy with action = DENY to log unauthorized traffic, also c...

Contributors