How to restrict all traffic for Guest vlan except HTTP and HTTPS
KB ARTICLE TYPE: Troubleshooting
RELATED PRODUCTS: NA
RELATED SOFTWARE VERSIONS: All versions
KEYWORDS: guest vlan, restrict
In order to block all the traffic
except HTTP and HTTPS from your Guest vlan, following firewall rules
needs to be created (assume the guest vlan as:
192.168.10/24):
1. To allow HTTP request from the
Guest network to Internet (Destination port
80)
ID
: 1
Id Class flow
class
: on
Destination
IP
: 0.0.0.0
Destination IP
match
: none
Destination IP flow class :
none
Destination
Netmask
: 0.0.0.0
Destination
Port
: 80
Destination Port
match :
on
Destination Port flow class :
none
Source
IP
: 192.168.10.0
Source IP
match
: on
Source IP flow
class
: none
Source
Netmask
: 255.255.255.0
Source
Port
: 0
Source Port
match
: none
Source Port flow
class :
none
Network
Protocol
: 0
Network Protocol
match :
none
Network Protocol flow class : none
Firewall
Filter
ID
:
Filter Id
match
: none
Filter Id Flow
Class
: none
Packet minimum
length :
0
Packet Length
match
: none
Packet Length flow class :
none
Packet maximum
length :
0
QoS
Protocol
: sip
Average Packet
Rate
:
0
Action
: forward
Token Bucket
Rate
:
0
Priority
: 0
Traffic
Control
: off
DiffServ
Codepoint
: disabled
Qos Rule
Logging
: off
Qos Rule Logging Frequency :
60
2. For replies coming from web servers to Guest
vlan - Source port 80
ID
: 2
Id Class flow
class
: on
Destination
IP
: 192.168.10.0
Destination IP
match
:on
Destination IP flow class :
none
Destination
Netmask
: 255.255.255.0
Destination
Port
: 0
Destination Port
match :
none
Destination Port flow class : none
Source
IP
: 0.0.0.0
Source IP
match
: none
Source IP flow
class
: none
Source
Netmask
: 0.0.0.0
Source
Port
: 80
Source Port
match
: on
Source Port flow
class :
none
Network
Protocol
: 0
Network Protocol
match :
none
Network Protocol flow class : none
Firewall
Filter
ID
:
Filter Id
match
: none
Filter Id Flow
Class
: none
Packet minimum
length :
0
Packet Length
match
: none
Packet Length flow class :
none
Packet maximum
length :
0
QoS
Protocol
: sip
Average Packet
Rate
:
0
Action
: forward
Token Bucket
Rate
:
0
Priority
: 0
Traffic
Control
: off
DiffServ
Codepoint
: disabled
Qos Rule
Logging
: off
Qos Rule Logging Frequency :
60
3. Similar rules for HTTPS (port 443) for both
destination and source port with action as
forward.
4. To block all other traffic, drop all the
traffic with network protocol as 6 (TCP) originating from Guest
vlan
ID
: 3
Id Class flow
class
: on
Destination
IP
: 0.0.0.0
Destination IP
match
: none
Destination IP flow class :
none
Destination
Netmask
: 0.0.0.0
Destination
Port
: 0
Destination Port
match :
none
Destination Port flow class :
none
Source
IP
: 192.168.10.0
Source IP
match
: on
Source IP flow
class
: none
Source
Netmask
: 255.255.255.0
Source
Port
: 0
Source Port
match
: none
Source Port flow
class :
none
Network
Protocol
: 6
Network Protocol
match :
on
Network Protocol flow class :
none
Firewall Filter
ID
:
Filter Id
match
: none
Filter Id Flow
Class
: none
Packet minimum
length :
0
Packet Length
match
: none
Packet Length flow class :
none
Packet maximum
length :
0
QoS
Protocol
: sip
Average Packet
Rate
:
0
Action
: drop
Token Bucket
Rate
:
0
Priority
: 0
Traffic
Control
: off
DiffServ
Codepoint
: disabled
Qos Rule
Logging
: off
Qos Rule Logging Frequency :
60
5. You can also create similar rule to drop all
UDP (protocol 17) traffic as well, if
required.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.