FortiGate Firewall Policies

July 5th, 2018
FortiGate Firewall Policies

Fortinet FortiGates are stateful firewalls that permit or deny access based on firewall policies.  Firewall policies define what to do with traffic that matches specified criteria.  These rules consist of information found in traffic flows, along with various other items.

Firewall policies are processed in a top down fashion.  The first matching item will be applied to the traffic.  These actions can be permit, deny, NAT, authentication, and various other powerful options.  There is an implicit deny at the bottom of the list that will drop any traffic not matching policies higher in the list.  Logging should be enabled for your firewall policies for monitoring and troubleshooting purposes (allowed and violating traffic).

The policies will use various objects such as schedules, NAT rules, service definitions, interface, address, device, users, etc.  These objects are used in the policies as matching criteria for applying various actions.  You can match on schedule (recurring or one-time), ingress/egress interfaces, source IP, originating user, device ID, destination IP or service, etc.  Policies require the source and destination interfaces to be specified, but “any” is an acceptable choice for one or both fields.  Flows must match the source and destination designations to be considered a match.

Sources can be specified as a subnet, fully qualified domain name (requires DNS), IP address or range of IPs, Internet Service DB, or geographic location.  You can also specify a user or device as a source in addition to at least one of the aforementioned source items.  Users can be found in the local FortiGate database, remote authentication server (i.e.; RADIUS or LDAP), certificate, or Fortinet Single Sign-on.  Source user can be used for authentication prior to permitting network access as well. 

The FortiClient application is an agent based option for device identification.  Various traffic types can be used for agentless device identification (like TCP fingerprinting, LLDP, SSDP, DHCP, etc.).  You will not be able to use an address in the source field if an ISDB is set as source.  The ISDB is upgraded at periodic intervals to ensure accuracy of the objects contained within.

Your policies can also match on destination information, such as fully qualified domain name (requires DNS), Internet service database (ISDB) objects, geographic location, IP address or range, subnet.  You cannot use user or devices as destinations since they are identified on the ingress interface.  ISDB objects consist of IP addresses, port numbers, and protocols that are used by Internet services.

Policies come in many different types such as rate limiting, multicast, local aka FortiGate traffic (the actual Fortinet device is the source or destination), IPv4 and IPv6, etc. 

The deny action drops packets and prevents further processing, while accept will administer deeper processing (if configured), or further actions such as NAT.  Further processing could be antivirus scanning or web filtering for instance. 

There is a Learning mode for firewall policies that allow you to essentially deploy the FortiGate in a monitor only mode.  Logging is enabled for all traffic and you will be able to see the data gathered about all flows traversing the device.  All packets are permitted in this mode.  The Learning Reports page will display all logs to assist in building your firewall policies. 

Please be mindful that policy/object deletions and changes are applied immediately.  This can cause outages if not properly tested and implemented during a maintenance window.  All of your modifications should be carefully planned and tested before implementation. 

 

FortiGate devices are powerful firewalls that offer traditional as well as next generation features that can help secure your network. 

 

By:
James Prendergast

CCIE #51060

Join the High Availability, Inc. Mailing List

Subscribe