Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kioti
New Contributor

FortiGate 60E Ensuring outbound traffic on port 443

Hello,

 

I've got a Time Clock that needs to communicate out to a Vendor's servers. 

 

I was told that 

"Port 443 Outbound must be open to the following IP addresses:

[ul]
  • 170.146.48.126
  • 170.146.235.104
  • 170.146.48.125
  • 170.146.235.103[/ul]

    "

     

    I've got my device hooked up to the network and it requires a static IP address. Apparently, the Vendor's servers do not see a connection. How do I ensure they have 443 outbound? I didn't even think I needed to make changes on my firewall to allow specific ports outbound?

  • 4 REPLIES 4
    Dave_Hall
    Honored Contributor

    What you want is to created some address firewall objects for the four addresses and group them.  Then create a firewall policy from internal (e.g. lan) to WAN (or WAN1), setting the dest to the address group with port 443 (e.g. HTTPS).  Move this policy up in the firewall policy list so it is trigger.  e.g (example only) from the CLI.  I do not what else you would need though:

    config firewall address     edit "timeclocks1"         set associated-interface "wan1"         set subnet 170.146.48.126 255.255.255.255     next     edit "timeclocks2"         set associated-interface "wan1"         set subnet 170.146.235.104 255.255.255.255     next     edit "timeclocks3"         set associated-interface "wan1"         set subnet 170.146.48.125 255.255.255.255     next     edit "timeclocks4"         set associated-interface "wan1"         set subnet 170.146.235.103 255.255.255.255     next end config firewall addrgrp     edit "timeclockgroup"         set member "timeclocks1" "timeclocks2" "timeclocks3" "timeclocks4"     next end config firewall policy     edit 0         set name "connection-timeclocks"         set srcintf "internal_net"         set dstintf "wan1"         set srcaddr "All_Internal"         set dstaddr "timeclockgroup"         set action accept         set schedule "always"         set service "HTTPS"         set nat enable     next end Edit: that documentation I found on the Internet gives no information on how the internal clock device is suppose to be getting a static IP or if you need to enable NAT (on the firewall policy).

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    Kioti

    There is one thing I'm tripped up on about this ~

     

    This firewall has its wan2 connected to the ISP box.

     

    There is a VLAN on wan2 that has been assigned the front-facing IP address and a tunnel interface set on it.

     

    When I create these policies, do I replace the wan in your example with the VLAN, since it has the front facing address?

     

     

    After I do that, would I need to create another policy between wan2 and the VLAN?

    sw2090
    Honored Contributor

    Well unless you didn't limit your policy for internetaccess from the subnet your clock device is in to sepcific services there is no outbound limit. So communication outbount should work. 443/tcp is btw the standard port for https protocol.

    So far it doesn't even matter wether the device has a static ip or dhcp ip. Usually you have a policy that allows internet for the whole subnet.

    If you don't have one for this subnet you will have to create one. You could then limit that to those destinations and port 443 like Dave wrote. Since I guess you don't have a public subnet behind your FGT you will have to do NAT to make it work!

     

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    sw2090
    Honored Contributor

    you could debug that on your FGT on command line:

     

    diag debug enable

    diag debug flow show console enable

    diag debug flow filter clear

    diag debug flow filter saddr <ipoftheclockdevice>

    diag debug flow trace start <numberofpackets>

     

    then have your clockdevice trying to communicate and watch the fgt cli.

    flow trace will show your what comes in and what happens to it.

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Labels
    Top Kudoed Authors