From 43730aaf8467c0931b77724349eba67d701ce0c1 Mon Sep 17 00:00:00 2001 From: John Poland Date: Fri, 31 Oct 2025 17:06:58 -0400 Subject: [PATCH] fortigate Fri Oct 31 05:06:58 PM EDT 2025 --- configs/fortigate/global/system.cfg | 1 + configs/fortigate/vdom_scsd/application.cfg | 13 +++++++ configs/fortigate/vdom_scsd/firewall.cfg | 41 ++++++++++++++++++++- 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/configs/fortigate/global/system.cfg b/configs/fortigate/global/system.cfg index 3ef25da..d78b2b5 100644 --- a/configs/fortigate/global/system.cfg +++ b/configs/fortigate/global/system.cfg @@ -706,6 +706,7 @@ config system admin edit "jkafta72.admin" set trusthost1 10.1.6.0 255.255.255.0 set trusthost2 10.1.40.0 255.255.255.0 + set trusthost3 10.212.134.12 255.255.255.255 set accprofile "super_admin" set vdom "root" set password ENC *HIDDEN* diff --git a/configs/fortigate/vdom_scsd/application.cfg b/configs/fortigate/vdom_scsd/application.cfg index 6df1c31..3a6005d 100644 --- a/configs/fortigate/vdom_scsd/application.cfg +++ b/configs/fortigate/vdom_scsd/application.cfg @@ -55,4 +55,17 @@ config application list next end next + edit "IoT" + set other-application-log enable + config entries + edit 1 + set application 17244 + set action pass + set log disable + next + edit 2 + set category 2 6 + next + end + next end diff --git a/configs/fortigate/vdom_scsd/firewall.cfg b/configs/fortigate/vdom_scsd/firewall.cfg index e90f122..b6cfc95 100644 --- a/configs/fortigate/vdom_scsd/firewall.cfg +++ b/configs/fortigate/vdom_scsd/firewall.cfg @@ -2876,6 +2876,10 @@ config firewall address set color 6 set subnet 107.172.59.44 255.255.255.255 next + edit "IoT - Core" + set allow-routing enable + set subnet 10.1.30.0 255.255.254.0 + next end config firewall multicast-address edit "all_hosts" @@ -5183,7 +5187,7 @@ config firewall policy set srcaddr "SSL_VPN_Range" set dstaddr "DocHolliday" set schedule "always" - set service "RDP" "UDP-3389" "SMB" "HTTP" "HTTPS" + set service "RDP" "UDP-3389" "SMB" "HTTP" "HTTPS" "PING" set utm-status enable set ssl-ssh-profile "certificate-inspection" set ips-sensor "Incoming_IPS" @@ -5191,6 +5195,22 @@ config firewall policy set groups "VPN_DocHolliday_Group" set comments "Remote Access VPN - DocHolliday for Katapult User" next + edit 105 + set name "DNS_FOR_SSL_VPN" + set srcintf "ssl.scsd" + set dstintf "inside" + set action accept + set srcaddr "SSL_VPN_Range" + set dstaddr "Domain_Controller_Group" + set schedule "always" + set service "DNS" + set utm-status enable + set ssl-ssh-profile "certificate-inspection" + set ips-sensor "Incoming_IPS" + set logtraffic all + set groups "VPN_DocHolliday_Group" + set comments "Remote Access VPN - DocHolliday for Katapult User (Copy of VPN_DocHolliday)" + next edit 68 set name "VPN_Access411_Servers" set srcintf "ssl.scsd" @@ -5624,6 +5644,25 @@ config firewall policy set tcp-mss-receiver 1400 set comments "Test Point of Sale" next + edit 119 + set name "IoT>Open VPN" + set srcintf "inside" + set dstintf "outside" + set action accept + set srcaddr "IoT - Core" + set dstaddr "all" + set schedule "always" + set service "ALL" + set utm-status enable + set ssl-ssh-profile "certificate-inspection" + set av-profile "g-default" + set ips-sensor "Outgoing_IPS" + set application-list "IoT" + set logtraffic all + set nat enable + set ippool enable + set poolname "ippool-198.36.23.251" + next edit 106 set name "Internet Access" set srcintf "inside" "RAP"