Gateway Mode Deployment

1 Reply

Configuring the firewall policies

Create the following firewall policies:

  • Allow SMTP connections from the protected email server to the FortiMail unit.
  • Allow SMTP_quar_services from the local email users to the FortiMail unit.
  • allow SMTP connections that are received at the wan1 virtual IP address from the FortiMail unit, then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server.
  • Allow PO3_IMAP_services that are received at the internal virtual IP address, then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server.
  • Allow PO3_IMAP_services that are received at the wan1 virtual IP address, then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server.

To add the email-server-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select dmz.

Source Address Name Select protected_email_server_address.

Destination

Interface/zone

 Select wan1.
Destination Address

Name

 Select FortiMail_address.
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the local-users-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select local_email_users_address.

Destination

Interface/zone

 Select wan1.
Destination Address

Name

 Select FortiMail_address.
Schedule Select ALWAYS.
Service Select SMTP_quar_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the FortiMail-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select FortiMail_address.

Destination

Interface/zone

 Select wan1.
Destination Address

Name

 Select protected_email_server_VIP_wan1.
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the local-users-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select local_email_users_address.

Destination

Interface/zone

 Select internal.
Destination Address

Name

 Select protected_email_server_VIP_internal.
Schedule Select ALWAYS.
Service Select PO3_IMAP_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the remote-users-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

 Select dmz.
Destination Address

Name

 Select protected_email_server_VIP_wan1.
Schedule Select ALWAYS.
Service Select PO3_IMAP_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail (SMTP) server/MTA. For both local and remote email users, this is 10.10.10.5 or fortimail.example.com.

If you do not configure the email clients to send email through the FortiMail unit, incoming email delivered to your protected email server can be scanned, but email outgoing from your email users cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Gateway Mode Deployment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.