I set up on our company's firewall (fortigate100d) a port forwarding to one of our Internal services.
As we don't have a static public IP I used 0.0.0.0 as an external IP so the remote users can access the internal service through a DDNS service which will handle IP changes.
The question is: does making 0.0.0.0 as an external IP, exposes our internal services or even the firewall to potential threats.
Asked
Active
Viewed 3,144 times
5
elsadek
- 1,782
- 2
- 17
- 53
2 Answers
4
In a default scenario (one internal, one external network) this will not harm you! You are using PAT so the rule is still bound to a specific port and does not put your network in danger.
If you have more then one external network attached you might have to think about it again. In that case you whould have to decide if the forwarding rule should be applied to both or just one external network.
davidb
- 4,285
- 3
- 19
- 31
-
what is exactly the threat in case of more then one external network ? – elsadek Mar 26 '16 at 18:12
-1
With Fortigate devices, you can map your Virtual IPs to an interface.
I strongly suggest you to map your port forwarding object (Virtual IP) to your WAN interface, instead of any which is the default value.
I also suggest you to explicitly specify Incoming Interface and Outgoing Interface in your firewall policies.
If you properly map your object to the good interface and specify the two interfaces in your policy, you should not have any issue.
Jyo de Lys
- 679
- 3
- 9
-
I'm not sure this answers the question. Or if it does, the connection is not clear. – schroeder Dec 28 '15 at 19:21
-
I'm just trying to explain how to configure this to minimize the threat in that case. It does not answer the question in a general case, but in that particular situation – Jyo de Lys Dec 30 '15 at 13:12