Fortinet FortiGate: Restrict Access to the Open Ports for Specific Country

Restrict Access to the Open Ports on Firewall

Securing your network from unwanted traffic is a critical step in maintaining a robust firewall setup. One effective way to enhance security is by restricting access to open ports based on geographical location. In FortiGate, you can leverage advanced features to restrict access to specific ports for users from certain countries, adding an extra layer of protection to your network.

Introduction

In network security, controlling access to open ports is essential for protecting against unauthorized access and reducing attack vectors. FortiGate firewalls offer the flexibility to implement country-based restrictions, a powerful feature that allows administrators to permit or block access from specific geographical locations. This article will guide you through the process of configuring FortiGate to restrict access to open ports based on country, thereby adding another layer of security to your network.

Why Restrict Access by Country?

Restricting access by country can help minimize exposure to threats originating from regions with higher attack rates or to limit access solely to regions where authorized users are based. This configuration can be particularly useful for securing sensitive applications or systems that don’t require global access.

Steps to Configure Country-Based Port Restriction in FortiGate

Step 1: Log into the FortiGate GUI

1. Open your web browser and navigate to your FortiGate’s IP address.
2. Log in using an account with administrative privileges.

Step 2: Create an Address Object for the Country

1. Navigate to Policy & Objects > Addresses.
2. Click Create New and select Address.
3. Name the address object (e.g., “Allow-US-Only” for allowing access from the U.S.).
4. Set the Type to Geography.
5. In the Country drop-down menu, select the country you want to allow or block.
6. Click OK to save.

Step 3: Create a Policy to Allow/Restrict Country Access

1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending on your configuration).
2. Click Create New to create a new policy rule.
3. Set the Incoming Interface to the interface where incoming traffic for the specific port arrives.
4. Set the Outgoing Interface to the interface that forwards traffic to your internal network.
5. In the Source field, select the address object created in Step 3 (e.g., “Allow-US-Only”).
6. For Destination, select the server or IP address hosting the open port.
7. Under Service, choose the specific service (port) you want to restrict (e.g., HTTP, HTTPS, SSH).
8. Set Action to Accept if allowing only from the selected country, or Deny to block it.
9. Configure Logging as needed.
10. Click OK to apply the policy.

Step 4: Adjust Policy Order

FortiGate processes policies from top to bottom, so make sure your new policy is positioned appropriately to apply the restriction before any general “allow all” rules.

Step 5: Test the Configuration

After configuring the policy, test the access from the designated country to ensure it works as expected. If you’re restricting access, use tools to simulate connections from different countries to verify the block is functioning correctly.

Additional Tips

• Monitoring Traffic: Use the FortiGate logs under Log & Report > Forward Traffic to monitor attempted connections from different regions.
• Use VPNs for Remote Access: For users who need access from restricted countries, consider setting up a VPN, allowing them secure access while keeping direct access limited.

About The Author

neo

See author's posts