Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • HA on Google Cloud Deployment Guide

    Home FortiMail 7.6.0 HA on Google Cloud Deployment Guide
    7.6.0
    7.6.0

    Modify the VPC firewall rules for HA network traffic

    Modify the VPC firewall rules for HA network traffic

    When you initially deployed each FortiMail-VM, the VPC firewall rules were configured to allow normal email traffic and access to the GUI. In addition to these port numbers, you must also allow the port numbers for FortiMail HA.

    Note

    If you are using a network load balancer with FortiMail HA, you may need to adjust the VPC firewall rules. See the documentation for interactions of VPC firewall rules with load balancers.

    .

    1. On the Google Cloud console, search for or go to Compute engine.

    2. Find the FortiMail-VM instances that will be your HA cluster. In the Internal IP column, note the name of the VPC network that they are both connected to. If there are other instances in the same network, then also note the IP addresses, tag, or service account that identifies your HA cluster.

      In the following example, both are connected to nic0.

      Google Cloud inbound firewall rule for FortiMail HA

    3. Search for or go to Firewall policies.

    4. Click Create firewall rule.

    5. Configure a firewall to allow inbound HA traffic, and then click Create.

      Setting

      Value and Description
      Network

      default

      (If your FortiMail-VM instances are connected to another VPC network such as nic0, then select it instead.)
      Priority

      10

      (If you have other rules with lesser numbers, then reduce this number. This firewall rule must have priority to avoid HA disruptions.)
      Direction of traffic ingress
      Action on match Allow
      Targets

      All instances in the network

      (If there are other VMs in the same VPC network, then to apply this firewall rule only to your HA cluster, either:

      • select Specified target tags or Specified service account, or
      • specify its IP address ranges in Destination IPv4 ranges

      instead.)

      Source IPv4 ranges

      0.0.0.0/0

      Destination IPv4 ranges

      0.0.0.0/0

      In the following example, a FortiGate in the VPC network restricts unauthorized access from the Internet and other VM instances to the FortiMail cluster, so the inbound rules between the FortiMail instances can be configured more flexibly in case you need to change the VPC network subnetting later. Therefore the rules shown allow traffic from all IPv4 addresses: 0.0.0.0/0.

      Protocols and ports

      Specified protocols and ports

      TCP 20000-20004

      UDP 20000-20001

      (If you have configured a different base port number for FortiMail HA communications, then allow those port numbers instead.)

      Inbound rule

      Google Cloud inbound firewall rule for FortiMail HA

      Google Cloud inbound firewall rule for FortiMail HA

    6. Repeat the previous step to also allow outbound HA traffic.

      Outbound rule

      Google Cloud outbound firewall rule for FortiMail HA

      Google Cloud outbound firewall rule for FortiMail HA

    7. If your FortiMail HA cluster will use service monitoring, repeat the allow ingress and egress traffic for the monitored service. (If the monitored services use the IANA standard ports, this is TCP port 80 for HTTP, TCP port 25 for SMTP, TCP port 110 for POP3, and TCP port 143 for IMAP.)

      Note

      Firewall rules for service monitoring must use the listening port number of FortiMail on the internal VPC network. If a front-end NAT device such as a load balancer, router, or FortiGate performs port translation or port forwarding, then the internal port number could be different than what you use to access the service from external networks such as the Internet.
    Previous
    Next

    Modify the VPC firewall rules for HA network traffic

    Modify the VPC firewall rules for HA network traffic

    When you initially deployed each FortiMail-VM, the VPC firewall rules were configured to allow normal email traffic and access to the GUI. In addition to these port numbers, you must also allow the port numbers for FortiMail HA.

    Note

    If you are using a network load balancer with FortiMail HA, you may need to adjust the VPC firewall rules. See the documentation for interactions of VPC firewall rules with load balancers.

    .

    1. On the Google Cloud console, search for or go to Compute engine.

    2. Find the FortiMail-VM instances that will be your HA cluster. In the Internal IP column, note the name of the VPC network that they are both connected to. If there are other instances in the same network, then also note the IP addresses, tag, or service account that identifies your HA cluster.

      In the following example, both are connected to nic0.

      Google Cloud inbound firewall rule for FortiMail HA

    3. Search for or go to Firewall policies.

    4. Click Create firewall rule.

    5. Configure a firewall to allow inbound HA traffic, and then click Create.

      Setting

      Value and Description
      Network

      default

      (If your FortiMail-VM instances are connected to another VPC network such as nic0, then select it instead.)
      Priority

      10

      (If you have other rules with lesser numbers, then reduce this number. This firewall rule must have priority to avoid HA disruptions.)
      Direction of traffic ingress
      Action on match Allow
      Targets

      All instances in the network

      (If there are other VMs in the same VPC network, then to apply this firewall rule only to your HA cluster, either:

      • select Specified target tags or Specified service account, or
      • specify its IP address ranges in Destination IPv4 ranges

      instead.)

      Source IPv4 ranges

      0.0.0.0/0

      Destination IPv4 ranges

      0.0.0.0/0

      In the following example, a FortiGate in the VPC network restricts unauthorized access from the Internet and other VM instances to the FortiMail cluster, so the inbound rules between the FortiMail instances can be configured more flexibly in case you need to change the VPC network subnetting later. Therefore the rules shown allow traffic from all IPv4 addresses: 0.0.0.0/0.

      Protocols and ports

      Specified protocols and ports

      TCP 20000-20004

      UDP 20000-20001

      (If you have configured a different base port number for FortiMail HA communications, then allow those port numbers instead.)

      Inbound rule

      Google Cloud inbound firewall rule for FortiMail HA

      Google Cloud inbound firewall rule for FortiMail HA

    6. Repeat the previous step to also allow outbound HA traffic.

      Outbound rule

      Google Cloud outbound firewall rule for FortiMail HA

      Google Cloud outbound firewall rule for FortiMail HA

    7. If your FortiMail HA cluster will use service monitoring, repeat the allow ingress and egress traffic for the monitored service. (If the monitored services use the IANA standard ports, this is TCP port 80 for HTTP, TCP port 25 for SMTP, TCP port 110 for POP3, and TCP port 143 for IMAP.)

      Note

      Firewall rules for service monitoring must use the listening port number of FortiMail on the internal VPC network. If a front-end NAT device such as a load balancer, router, or FortiGate performs port translation or port forwarding, then the internal port number could be different than what you use to access the service from external networks such as the Internet.
    Previous
    Next