Gateway Mode Deployment

1 Reply

Configuring the firewall policies

Create the following firewall policies:

  • Allow SMTP_quar_services that are received at the internal virtual IP address, then apply a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.
  • Allow FortiMail_incoming_services that are received at the wan1 virtual IP address that maps to the FortiMail unit, then apply a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.
  • Allow FortiMail_outgoing_services from the FortiMail unit to the Internet.
  • Allow SMTP traffic that is received at the DMZ virtual IP address, then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server.
  • Allow PO3_IMAP_services that are received at the wan1 virtual IP address that maps to the protected email server, then apply a static NAT when forwarding the traffic to the private network IP address of the protected email server.

To add the internal-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select internal_address.

Destination

Interface/zone

 Select dmz.
Destination Address

Name

 Select FortiMail_VIP_internal.
Schedule Select ALWAYS.
Service Select SMTP_quar_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the Internet-to-FortiMail unit policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

 Select dmz.
Destination Address

Name

 Select FortiMail_VIP_wan1.
Schedule Select ALWAYS.
Service Select FortiMail_incoming_services.
Action Select ACCEPT.
  1. Select OK.

To add the FortiMail-to-Internet policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select dmz.

Source Address Name Select FortiMail_address.

Destination

Interface/zone

 Select wan1.
Destination Address

Name

 Select all.
Schedule Select ALWAYS.
Service Select FortiMail_outgoing_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the FortiMail-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select dmz.

Source Address Name Select FortiMail_address.

Destination                    Select internal.

Interface/zone

Destination Address

Name

 Select protected_email_server_VIP_dmz.
Schedule Select ALWAYS.
Service Select SMTP.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the remote-users-to-email-server policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

 Select internal.
Destination Address

Name

 Select protected_email_server_VIP_wan1.
Schedule Select ALWAYS.
Service Select PO3_IMAP_services.
Action Select ACCEPT.
  1. Select OK.

Configuring the MUAs

Configure the email clients of local and remote email users to use the FortiMail unit as their outgoing mail (SMTP) server/MTA. For local email users, this is 172.16.1.2, the virtual IP on the internal network interface of the FortiGate unit that is mapped to the IP address of the FortiMail unit; for remote email users, this is 10.10.10.1 or fortimail.example.com, the virtual IP on the wan1 network interface of the FortiGate unit that is mapped to the FortiMail unit.

If you do not configure the email clients to send email through the FortiMail unit, incoming email delivered to your protected email server can be scanned, but email outgoing from your email users cannot.

Also configure email clients to authenticate with the email user’s user name and password for outgoing mail. The user name is the email user’s entire email address, including the domain name portion, such as user1@example.com.

If you do not configure the email clients to authenticate, email destined for other email users in the protected domain may be accepted, but email outgoing to unprotected domains will be denied by the access control rule.

Testing the installation

Basic configuration is now complete, and the installation may be tested. For testing instructions, see “Testing the installation” on page 159.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Gateway Mode Deployment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.