Menu

How to Whitelist an External IP Address in FortiGate Firewall.

Author: ,

In this step-by-step guide you'll learn how to whitelist an external IP Address or multiple IP Addresses in FortiGate Firewall.

Sometimes there is a need to whitelist an external IP address on a FortiGate/Forti Guard firewall for special purposes. To accomplish this task, you will need to create an Address object for the external IP that you want to allow and then to create a IPv4 Policy to allow traffic from that IP address.

How to Whitelist an External IP Address or Multiple IP Addresses in FortiGate Firewall.

To allow the traffic from an external IP Address or addresses on the FortiGate Firewall, follow the steps below.

Step 1: Create an Address Object In FortiGate.

To whitelist one or more external IP addresses on the FortiGate, you must first create separate Address objects with the details of each IP you wish to allow.

To create an Address object in FortiGate/FortiGuard:

1. Login in FortiGate web Interface.


2. Navigate to Policy & Objects > Addresses and click Create New > Address

How to Whitelist an External IP Address in FortiGate Firewall.


3. Now fill in the details in "New Address" as follows:


  • Name:     Type a name of the address object (e.g., "Whitelist IP No1").
  • Type: Subnet
  • IP/Netmask: Enter the IP address you want to whitelist (e.g., "81.82.83.165/32").*

* Note: The "/32" indicates that it is just that one IP.

  • Interface: Select the interface where the IP will be coming from. (e.g. "wan" or "any")

4. Click OK when done.

Allow External IP Traffic to LAN in Fortigate

 

5. Now, according what you want to do, proceed as instructed below:

  • If you want to whitelist only one external IP Address in FortiGate, skip to step-2 below.
  • If you want to whitelist more than one external IP address, repeat the above steps to create a new Address object for each IP you want to allow and then create an Address Group* with all that addresses as instructed below. Then proceed to step-2.

To create an Address Group in FortiGate:

a. Navigate to Policy & Objects > Addresses and click Create New > Address Group

How to Create an Address Group in Fortigate firewall

 

b. In the "New Address Group", do the following:

  • Name: Type a name for the address group (eg. " Whitelist IP Addresses")
  • Members: Click the "+" symbol and add one-by-one the Address objects you added with the whitelisted IP's.

image

 

c. Click OK when done, and continue to next step.

WhiteList IP in Fortigate Firewall

Step 2: Create a new Policy object to Allow Traffic from the Whitelisted IP(s).

After creating the Address object(s) for the IP(s) you want to whitelist in FortiGate Firewall, proceed and create an new IPv4 Policy to allow the traffic from them. To do that:

1.
Navigate to Policy & Objects > IPv4 Policy and click Create New.

How to Whitelist an External IP Address or Multiple IP Addresses in FortiGate Firewall

 

2. In "Edit Policy" fill in the details as follows:


  • Name:     Give a name to the new policy (e.g., "Whitelist IP Policy").
  • Incoming Interface: Select the external interface where the traffic will come from (e.g. "wan2").
  • Outgoing Interface: Select the interface where the traffic will go to (e.g. "LAN").
  • Source: Click the "+" symbol and add the Address object you created earlier (e.g., "Whitelist IP No1"), or the Address Group you created (e.g. "Whitelist IP Addresses")
  • Destination: Click + and select all or specify particular destinations if required.
  • Schedule: Click + and select always or specify a schedule if needed.
  • Service: Click + and select ALL or specify particular services if if you want.
  • Action: Set to Accept.

3. Leave all other options at their default settings or change them according your needs and click OK when done to save the policy.

Create Policy in Fortigate to Allow traffic from External IPs

 

4. Finally drag the newly created policy to the top of the list to ensure it gets processed first.

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

Frequently Asked Questions

What is the first step to whitelist an external IP in FortiGate?
The first step is to create an Address object for the external IP you wish to allow.

How can multiple IP addresses be whitelisted in FortiGate?
For multiple IP addresses, you need to create an Address object for each IP and then create an Address Group containing all these addresses.

What should be done after creating Address objects in FortiGate?
After creating Address objects, you should create a new IPv4 Policy to allow traffic from the whitelisted IPs.

How can one ensure that the new IPv4 policy is processed first in FortiGate?
You can ensure that the new IPv4 policy is processed first by dragging it to the top of the list.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:
Konstantinos Tsoukalas
Latest posts by Konstantinos Tsoukalas (see all)

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *