Gateway Mode Deployment

Example 2: FortiMail unit in front of a firewall

In this example, a FortiMail unit operates in gateway mode within a private network, but is separated from the protected email server and local email users’ computers by a firewall. The protected email server is located on the demilitarized zone (DMZ) of the firewall. The local email users are located on the internal network of the firewall. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit protects accounts for email addresses ending in “@example.com,” which are hosted on the local email server.

Figure 9: FortiMail unit in front of a NAT device

The FortiMail unit has also been configured with an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

 0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action  RELAY

To deploy the FortiMail unit in front of a NAT device such as a firewall or router, you must complete the following:

  • Configuring the firewall
  • Configuring the MUAs
  • Testing the installation

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 50.

Configuring the firewall

With the FortiMail unit in front of a FortiGate unit, the internal network located behind the FortiGate unit, and the protected email server located on the DMZ, you must configure firewall policies to allow traffic:

  • between the internal network and the FortiMail unit
  • between the internal network and protected email server
  • between the protected email server and the FortiMail unit
  • between the protected email server and the Internet To create the required policies, complete the following:
  • Configuring the firewall addresses
  • Configuring the service groups
  • Configuring the virtual IPs

Configuring the firewall addresses

In order to create the firewall policies that governs traffic from the IP addresses of local email users, the protected email server, and the IP address of the FortiMail unit, you must first define the IP addresses of those hosts by creating firewall address entries.

To add a firewall address for local email users

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the firewall address entry, such as local_email_users_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 172.16.1.0/24.
Interface Select internal.
  1. Select OK.

To add a firewall address for the protected email server

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the firewall address entry, such as protected_email_server_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 192.168.1.10/32.
Interface Select dmz.
  1. Select OK.

To add a firewall address for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the firewall address entry, such as FortiMail_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 10.10.10.5/32.
Interface Select wan1.
  1. Select OK.

Configuring the service groups

In order to create firewall policies that governs email and FortiMail-related traffic, you must first create service groups that contain services that define protocols and port numbers used in that traffic.

To add a service group for internal email user and protected server traffic to the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as SMTP_quar_services.
  5. In the Available Services area, select HTTP, HTTPS, and SMTP, then select the right arrow to move them to the Members
  6. Select OK.

To add a service group for POP3 and IMAP traffic to the protected email server

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as PO3_IMAP_services.
  5. In the Available Services area, select POP3 and IMAP, then select the right arrow to move them to the Members
  6. Select OK.

Configuring the virtual IPs

In order to create the firewall policies that forward from the FortiMail unit and local and remote email users to the protected email server, you must first define static NAT mappings from a public IP address on the FortiGate unit to the IP address of the protected email server, and from an internal IP address on the FortiGate unit to the IP address of the protected email server, by creating virtual IP entries.

To add a wan1 virtual IP for the protected email server

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the virtual IP entry, such as protected_email_server_VIP_wan1.
External Interface Select wan1.
Type Select Static NAT.
External IP

Address/Range

Enter 10.10.10.1.
Mapped IP

Address/Range

Enter 192.168.1.10.
  1. Select OK.

To add an internal virtual IP for the protected email server

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the virtual IP entry, such as

protected_email_server_VIP_interna l.

External Interface Select internal.
Type Select Static NAT.
External IP

Address/Range

Enter 172.16.1.2.
Mapped IP

Address/Range

Enter 192.168.1.10.
  1. Select OK.
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Gateway Mode Deployment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.