![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image.png\")
On the following firmware version:<\/p>\n\n\n\n I used the same topology as I did with the Palo Alto; namely:<\/p>\n\n\n\n I also followed the same apporoach as with the Palo Alto in that I did the minimum to set up the firewall to allow the Windows host to browse out to the Internet.<\/p>\n\n\n\n The interfaces were set up like this:<\/p>\n\n\n\n I set up a rule to allow the source, Windows_DMZ on 172.31.200.10, access to any (or all) destinations for http, https and dns only. I configured ‘hide’ NAT behind the outgoing interface. On a Fortigate this is all done on the same rule which looks like this:<\/p>\n\n\n\n And having done this I was able to browse out happily to the Internet as these firewall logs show:<\/p>\n\n\n\n And so once again using the elementary yet fiendish plan of setting up a linux host (linux.labtinker.net) to run ssh on port 80 and then trying to connect to through the above rule which is set up to only allow http,https and dns.<\/p>\n\n\n\n <\/p>\n\n\n\n And… it allowed me through the firewall. Below shows the Windows host (confusingly called fwext.labtinker.net because I’m RDP-ing through the external firewall interface on a static nat) ssh-ing successfully to our linux.labtinker.net.<\/p>\n\n\n\n And the log confirms this….<\/p>\n\n\n\n OK, so we don’t get applications running on non-standard ports blocked by default as we more or less did on the Palo. So let’s delve a little deeper. Each rule on the Forti gives us many more options such as: AntiVirus, Web Filter and Application Control…. and that last one sounds promising for what we’re trying to achieve…<\/p>\n\n\n\n So let’s turn on application control:<\/p>\n\n\n\n Now some firealls can be set to enforce rule changes for new sessions rather than run existing sessions through the rule base again so for good measure I am doing the following from the firewall’s CLI after each policy change to ensure my session starts afresh with the new rulebase:<\/p>\n\n\n\n diagnose sys session clear<\/em><\/p>\n\n\n\n As this killed my RDP session to the Windows box ,also going through the firewall as previously stated, I had some confidence the above command cleared existing sessions. (I think this is probably overkill but it’s easy enough to do in a lab environment)<\/p>\n\n\n\n <\/p>\n\n\n\n With the application control turned on I was still able to ssh out to my Linux box on port 80 but the firewall at least now recognised I’m running SSH as seen by the application column in the logs:<\/p>\n\n\n\n The application profile is designed to let you allow (or more probably block) traffic based on its application category as we can see if we delve into the default Application Control profile under the Security Profiles menu:<\/p>\n\n\n\n The default settting for all profiles is monitor (the eye!) but you could block any applications as well as by altering the drop down box setting:<\/p>\n\n\n\n <\/p>\n\n\n\n OK, interesting but not probably not we want at the moment. But lo, just below this, look at this button…<\/p>\n\n\n\n So, like all good engineers let’s turn it on and see what happens.<\/p>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Forti-version.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Fortigate-Lab.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Forti-Interfaces-1-1024x288.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Forti-Rule-Take-One.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Forti-browsing-log-2.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Putty-out-to-Linux.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Windows-SSH-to-Linux-through-Forti.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Log-through-Forti-of-ssh-on-port-80-1.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/app-control.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/app-control-enabled.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/firewall-log-seeing-ssh-on-port-80.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/app-control-menu.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Appliation-Profile-1.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/network-protocol-enforcement.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Another-forti-log-1.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/Block-apps-on-non-std-ports-1.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/for-non-std-app-paydirt.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-3.png\")