Your best bet for that would be to get a list of destination IP addresses or subnets that Carbonite uses, and open those ports for all devices ONLY to the Carbonite hosts/subnets. This way any device you add to Carbonite backup would work without any further configuration inside the firewall. Carbonite support should (may) be able to give you that information.

I like this idea and I did find an article listing the endpoint addresses. They suggested using NSLookup to find the IP addresses. However they mention "You must enable all inbound and outbound traffic to *.azure-devices.net. There is no option to look up IP addresses for this endpoint." Can that be done w/o the IP?

Here is the link:

https://support.carbonite.com/articles/Server-Windows-Routing-Carbonite-Server-Backup-Network-Traffi...

Thanks so much, I really appreciate the help and your thoughts.

Mark

Hi Mark,

Reading the article, I'm not sure why port 25 would be needed, and I don't see it mentioned in the linked article.  That would be the biggest security concern as far as having it open to all destinations...it would mean your computers could spam the world basically if they got infected.  Port 53 they probably just want to make sure your PCs can do DNS lookups, but if you have them pointed to internal or specific external DNS servers, that part can be locked down as well (which is a valid security concern).

80 and 443 are probably already going to be open unless you really lock down the web traffic that users can go to...so I'm actually wondering if there is more traffic needed that's not documented.  If I had $1 for every time I've seen that, even with Microsoft...

I'm sure in your small environment you don't have a FortiAnalyzer, right?  The logging and search capabilities of it are amazing; in my day-to-day work I spend almost as much time in the FortiAnalyzer as I do in the FortiGate because it can give me the answer to the problem so quickly.  However, the on-board logging capabilities of the FortiGate may be sufficient if you don't have too much traffic or can investigate when there's not much going on.  

Unfortunately there is no way to do a reverse lookup on a wildcard FQDN, so without an actual list of servers you may not be able to craft a policy specific to Carbonite.  However, you might want to look at any Web Filter profiles in use and make sure they aren't blocking this, or consider whitelisting the domains(endpoints) listed.

It does seem you work roughly the opposite hours of myself (or just post late?), but I can try to be available to provide further help via Zoom or TeamViewer or something for a reasonable fee.  I've been working on FortiGates for most of the past 7 years now, so I'd like to think I could be of some help.  :)  If my notes above don't get you going and you want to pursue this, just PM me or send an email to detectivedanham@gmail.com and let me know what hours you could be available (in what time zone).

Thanks! - Daniel

Hi Daniel,

I'd be happy to provide any information I can and I would really appreciate you "walking me through it"! I figured this was kind of basic and I will be the first to admit I'm not too good with even basic firewall stuff. I do a lot of hardware and software troubleshooting but usually don't have to delve into the firewalls too much. We have another company that's been helping us with the Fortigate but they are really expensive and can only do work 9-5, unless we pay double the hourly rate. I've been concerned lately about their knowledge level of this device. I'm hoping to get up to speed enough to do more myself, at least the fairly basic stuff. 

The other company was making changes to the Fortigate last week in preparation for VOIP. They also updated the firmware to 6.04. They didn't seem to think any of these changes would cause the Carbonite issue however the backups stopped the next day. Backups are done from each PC and we don't have a server. We've never had to create a rule for Carbonite before. Traffic to their servers was getting through fine before the VOIP adjustments and firmware updates. Carbonite believes it's a port issue and made the suggestion to open those ports. Unfortunately they didn't give me details or if the ports are outbound but that makes sense to me. They emailed that "

Carbonite uses a specific set of ports in order to install, back up, and restore successfully. Please see the article linked below for more information.Ports used by Carbonite: 

Carbonite uses the following ports for installation, backup and restore operations: