How to Protect Servers with Fortinet Firewall Rules & Policies

Why Firewall Policies Matter

I’ve been messing with networks since the early ’90s — when dial-up was a thing and we thought a 56k modem was fast. Firewalls have changed since then, but the idea is still the same: Manage what gets in and what gets out.

Firewall rules are your in and out firewall protection layers. Got a misconfigured rule? Congratulations — you opened the door wide for attackers. And believe me, I know how it goes firsthand.

There was one particular bank (not dropping names) that was really proud of their external firewall setup, but they had enabled every single device on their internal network to communicate directly to the internet. No filtering. No segmentation. No logging. Nothing. It was like leaving your front door unlocked and then being surprised that someone walked out with your television.

The thing is, your firewall rules need to be exact. Otherwise, you’re causing more harm than good.

Firewall Rules for Your Server — Industry Best Practices

So, let’s get straight to it. If you’re creating firewall rules for important servers, treat these rules like they were your job—because they probably are.

1. Default Deny Everything

You’re doing it backwards if you’re allowing all traffic by default and then blocking specific things. Begin with deny all, then allow only what’s necessary.

2. Segment Your Network

• Your database servers don’t have to talk to every single IoT device on your network.
• VLANs: Create and limit departments or services communications only where needed.

3. Limit Remote Access

If SSH/RDP is open to the world, close it immediately. I’ll wait…

• Do not expose critical ports; use VPNs or jump boxes.

4. Use Geo-Filtering (If applicable)

Is your company solely situated in India? So why let in traffic from Russia or North Korea?

5. Enable Logging & Alerts

• If no one looks at what your firewall does, then you don’t really know if it’s doing its job.
• Set up alerts for abnormal traffic patterns, including the attempts, not just the successful attacks.

6. Regular Rule Audits

• A rule that made sense three years ago doesn’t always still make sense.
• Remove unneeded and old rules. They’re a liability.

Every one of these steps? I’ve rolled them out with real-world clients, and they’ve prevented pretty catastrophic breaches for a number of companies.

Fortinet Configuration Guide

Great, now let’s assume you are going with Fortinet, which mind you is great as long as you are configuring it properly. Here is a crash course on how to configure firewall policies for your servers.

1. Create a Firewall Policy

• Log into FortiGate.
• Go to Policy & Objects > Firewall Policy.
• Click on Create New.

2. Configure the Ruleset

• Alias: Specify one subnet, group, or address that is permitted.
• Limits: Only reach servers in need of your policies.
• Service: Limit to required ports (e.g., TCP 443 for HTTPS, TCP 22 for SSH).
• ACTION: Only if absolutely necessary. Default should be deny all.
• Access schedule: If access is only required during working hours, implement it.

3. Security Profiles and Inspection

• Activate Intrusion Prevention (IPS)—however, for any public-facing servers.
• Use Web Filtering (for outbound requests from the server as applicable).
• Enable Logging — You can never say this enough.

4. Test & Validate

• Verify traffic before deploying with the use of diagnose debug flow.
• You deploy the policy and watch logs for undesired denials or approvals.

I mean, I’ve seen companies just push changes to production without validating them — don’t be that company.

Fortinet Policy Management by PJ Networks

We don’t slap together some random firewall rules and determine our policy with a shrug at PJ Networks. We rigorously design, tune, and implement zero-trust architectures for clients ranging from major banks to healthcare systems.

Here’s the way we think about Fortinet:

• Security Assessment: We review your existing policies (because 9/10 the rules you have are simply not necessary).
• For Overly Permissive Firewall Rules:
• Rules optimization: Firewall rules re-structured based on the best way (Segmentation, Least privilege access, outbound control).
• Zero-Trust Approach: If a user or device doesn’t need access, they don’t get access. Period.
• Continuous Monitoring: If indeed, the configuration of the firewall is the first step. We prepare for long-term management around logs, alerts, and necessary reporting.

The reason we do this? Because I’ve cleaned up enough breaches to understand where bad firewall policies go unchecked.

Quick Take

• Don’t refer to the best practice, and leave in default “allow all” policies—no bueno.
• Limit and restrict inbound & outbound traffic to only what’s required.
• Segregate your network with VLANs and segmentation.
• Turn on logging & alert—if not, you are flying blind.
• Conduct regular audits on your firewall rules. What worked a year ago may not still be in force today.

Conclusion

Firewalls are not “set-and-forget” devices. They are living, evolving components that must be managed precisely.

If you use Fortinet, you’re in luck—you have some great tools at your disposal. But well-built tools do not make a bad configuration okay.

So if you’re on an IT team, or you’re the one overseeing security for your company, take firewall rules seriously. The cost of getting it wrong? A breach. And trust me—no one wants that talk.

Need help in refining your firewall rules? That’s what we do. For decades, PJ Networks has been protecting critical infrastructure. Let’s make sure that your servers aren’t the weakest link.