Hot!FortiGate 60E Ensuring outbound traffic on port 443

Author
Kioti
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/22 11:57:26
  • Status: offline
2019/08/22 12:04:36 (permalink)
0

FortiGate 60E Ensuring outbound traffic on port 443

Hello,
 
I've got a Time Clock that needs to communicate out to a Vendor's servers. 
 
I was told that 
"Port 443 Outbound must be open to the following IP addresses:
  • 170.146.48.126
  • 170.146.235.104
  • 170.146.48.125
  • 170.146.235.103
"
 
I've got my device hooked up to the network and it requires a static IP address. Apparently, the Vendor's servers do not see a connection. How do I ensure they have 443 outbound? I didn't even think I needed to make changes on my firewall to allow specific ports outbound?
#1

4 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1477
    • Scores: 163
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: FortiGate 60E Ensuring outbound traffic on port 443 2019/08/22 14:22:12 (permalink)
    0
    What you want is to created some address firewall objects for the four addresses and group them.  Then create a firewall policy from internal (e.g. lan) to WAN (or WAN1), setting the dest to the address group with port 443 (e.g. HTTPS).  Move this policy up in the firewall policy list so it is trigger.  e.g (example only) from the CLI.  I do not what else you would need though:

    config firewall address
        edit "timeclocks1"
            set associated-interface "wan1"
            set subnet 170.146.48.126 255.255.255.255
        next
        edit "timeclocks2"
            set associated-interface "wan1"
            set subnet 170.146.235.104 255.255.255.255
        next
        edit "timeclocks3"
            set associated-interface "wan1"
            set subnet 170.146.48.125 255.255.255.255
        next
        edit "timeclocks4"
            set associated-interface "wan1"
            set subnet 170.146.235.103 255.255.255.255
        next
    end
    config firewall addrgrp
        edit "timeclockgroup"
            set member "timeclocks1" "timeclocks2" "timeclocks3" "timeclocks4"
        next
    end
    config firewall policy
        edit 0
            set name "connection-timeclocks"
            set srcintf "internal_net"
            set dstintf "wan1"
            set srcaddr "All_Internal"
            set dstaddr "timeclockgroup"
            set action accept
            set schedule "always"
            set service "HTTPS"
            set nat enable
        next
    end

    Edit: that documentation I found on the Internet gives no information on how the internal clock device is suppose to be getting a static IP or if you need to enable NAT (on the firewall policy).
    post edited by Dave Hall - 2019/08/22 14:28:03

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #2
    sw2090
    Gold Member
    • Total Posts : 398
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FortiGate 60E Ensuring outbound traffic on port 443 2019/08/23 00:38:17 (permalink)
    0
    Well unless you didn't limit your policy for internetaccess from the subnet your clock device is in to sepcific services there is no outbound limit. So communication outbount should work. 443/tcp is btw the standard port for https protocol.
    So far it doesn't even matter wether the device has a static ip or dhcp ip. Usually you have a policy that allows internet for the whole subnet.
    If you don't have one for this subnet you will have to create one. You could then limit that to those destinations and port 443 like Dave wrote. Since I guess you don't have a public subnet behind your FGT you will have to do NAT to make it work!
     
    #3
    sw2090
    Gold Member
    • Total Posts : 398
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FortiGate 60E Ensuring outbound traffic on port 443 2019/08/23 00:41:00 (permalink)
    0
    you could debug that on your FGT on command line:
     
    diag debug enable
    diag debug flow show console enable
    diag debug flow filter clear
    diag debug flow filter saddr <ipoftheclockdevice>
    diag debug flow trace start <numberofpackets>
     
    then have your clockdevice trying to communicate and watch the fgt cli.
    flow trace will show your what comes in and what happens to it.
    #4
    Kioti
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/22 11:57:26
    • Status: offline
    Re: FortiGate 60E Ensuring outbound traffic on port 443 2019/08/23 11:23:19 (permalink)
    0
    There is one thing I'm tripped up on about this ~
     
    This firewall has its wan2 connected to the ISP box.
     
    There is a VLAN on wan2 that has been assigned the front-facing IP address and a tunnel interface set on it.
     
    When I create these policies, do I replace the wan in your example with the VLAN, since it has the front facing address?
     
     
    After I do that, would I need to create another policy between wan2 and the VLAN?

    Attached Image(s)

    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5