FortiGate Firewall Policies:

o FortiGate Firewalls uses security policies to either accept or deny an access.

o The policy rules are compared against the incoming traffic in sequence no.
o In FortiGate Firewall traffic is processed by the security policy in a top-down.
o For traffic that does not match any user-defined rules, the default rules apply.
o The default rules displayed at the bottom of security rulebase are predefined.
o FG Firewalls Security Policy, Sessions are established for bidirectional data flow.
o Rules are evaluated from top to bottom, match is found, no further eval is done.
o If not, FortiGate Firewall keeps on looking for match until the last rule is evaluated.
o In FortiGate Firewall if there were no matches found the session will be dropped.
o Security policy rule can be reordered, disabled, deleted, added and can be cloned.
o FG Firewalls, in Security Policy Rules, Scheduling can set times when rule is allowed.
o The firewall policy is the axis around which most features of the FortiGate revolve.
o Many firewall settings end up relating to or being associated with firewall policies.
o Any traffic going through a FortiGate unit firewall has to be associated with policy.
o Policies are essentially classified sets of instructions control traffic flow going through.
o These instructions control where the traffic goes, how it is processed, if it is processed.
o And whether or not it is allowed to pass through the FortiGate network Unit Firewall.
o When firewall receives connection packet, it analyzes source and destination address.
o When firewall receives connection packet it also analyze service (by the port number).
o It also registers incoming interface, outgoing interface it needs to use, & time of day.
o Using this info, FortiGate firewall attempts to locate security policy that matches packet.
o If a policy matches parameters, then FortiGate takes the required action for that policy.
o If it is Accept, the FortiGate Unit Firewall traffic is allowed to proceed to the next step.
o If the action is Deny or a match cannot be found, the traffic is not allowed to proceed.
o The two basic actions in FortiGate at the initial connection are either Accept or Deny.
o If the action is Accept, in FortiGate firewall the policy permits communication sessions.
o May be other packet processing instructions such as requiring authentication to use policy.
o Or the restrictions on the source and destination of the traffic in FortiGate Unit Firewall.
o If action is Deny, policy blocks communication sessions & can optionally log denied traffic.
o If no security policy matches the traffic, the FortiGate Unit Firewall packets are dropped.
o Deny security policy is needed when required to log denied traffic called violation traffic.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Firewall Policy Parameters:
o For traffic to flow through firewall there must be policy that matches its parameters.
Incoming Interface(s):
o This is interface or interfaces that the traffic is first connection to FortiGate unit by.
o Incoming interface(s) is not limited to the physical Ethernet ports found on the device.
o The incoming interface can also be logical or virtual interface such as the VPN tunnel.
Outgoing Interface(s):
o After firewall has processed the traffic it needs to leave a port to get to its destination.
o And outgoing interface(s) will be the interface or the interfaces that the traffic leaves by.
o This interface, like the Incoming Interface is not limited to only the physical interfaces(s).
Source Address(es):
o The addresses that a policy can receive traffic from can be wide open or tightly controlled.
o For public web server that world at large should be able to access, best choice will be “all”.
o If destination is private server that only branch offices of company should be able to access.
o Or list of internal computers that are the only ones allowed to access an external resource.
o Then a group of preconfigured addresses is the better strategy to use in FortiGate Firewall.
o There is additional parameters under the Source Address, though they are not mandatory.
Source User(s):
o This parameter is based on user identity can be from number of authentication authorities.
o It will be account or group that has been set up in advance that can be selected from menu.
o The exception in FortiGate FW to this is the feature that allows the importing of LDAP Users.
o When feature is used, small wizard window will appear to guide the user through the setup.
Source Device Type:
o This parameter is for traffic sending devices to those that the FortiGate is familiar with.
o Again, contents of this parameter need to be preconfigured object & these are defined.
o Source Device Type are preconfigured at User and Device > Custom Devices & Groups.
o This parameter can limit devices that can connect to this policy to those specific MAC.
o MAC addresses that are already known by FortiGate and are approved for the policy.
Destination Address(es):
o In same way that the source address may need to be limited, the destination address.
o Same as source address destination address can also be used as a traffic filter in FW.
o Traffic is destined for internal resources specific address of resource can be defined.
o Destination address can be defined to better protect other resources on the network.
o One of the specialized destination address options in FW is to use a Virtual IP address.
Internet Service(s):
o In this context, and Internet service is a combination of one or more addresses in FW.
o In Firewall and one or more services associated with a service found on the Internet.
o Example of Internet Service in FortiGate are such as an update service for software.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Schedule:
o Time frame that is applied to the policy, this can be something as simple as a time range.
o That the sessions are allowed to start such as between 8:00 am and 5:00 pm in firewall.
o Something more complex can be set, like business hours that include a break for lunch.
Service:
o In Firewall the service or service chosen here represent the TCP/IP suite port numbers.
o That will most commonly be used to transport named protocols or group of protocols.
o It is different than Application Control which looks more closely at packets to determine.

o Without all six of these things matching, the traffic will be declined by the Firewall.
o Each traffic flow in Firewall requires a policy and the direction is important as well.
o Packets go from one point to another point on port X does not mean traffic back flow.
o A policy must be configured in FortiGate Network Unit Firewall for each direction.
o When designing policy in FortiGate Firewall there is often reference to the traffic flow.
o But most communication is a two-way connection so trying to determine the direction.
o If traffic is HTTP or HTTPS web traffic the user sends a request to the web site server.
o However, most of the traffic flow will be coming from the web site server to the user.
o Is traffic flow considered to be from user to website, website to user or both directions.
o For purposes of determining direction for a policy the important factor is the direction.
o User is sending a request to website, so this is the initial communication and web site.
o Just responding to it so the traffic will be from the users network to the Internet outside.
o A case where either side can initiate communication like between two internal interfaces.
o On FortiGate unit would be a more likely situation to require a policy for each direction.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

 Policy Description
Name Configuration name, valid characters with no spaces.
Incoming Interface Select the interface that receives traffic.
Outgoing Interface Select the interface that forwards traffic.
Source Select a source address object to use to form the matching tuple.
Destination Select destination address object to use to form the matching tuple.
Schedule Time frame that is applied to the policy.
Service Select a service object to use to form the matching tuple.
Action Deny—Drop the traffic.
Accept—Allow the traffic to pass the firewall.
Inspection Mode Select Flow-based or Proxy-based to operate in that mode.

Policy Views:
Interface Pair View:
o Interface Pair View displays policies in order that they are checked for matching traffic.
o Interface Pair View in Firewall grouped by the pairs of Incoming & Outgoing interfaces.
o For example, all the policies referencing traffic from LAN to WAN are in the one section.
o The policies referencing traffic from the DMZ to WAN are in another section in Firewall.
o The sections are collapsible so that you can only need to look at the sections you want.
o In FortiGate (NGFW) Network Unit Firewall the default display is th Interface Pair View.
o Can switch between two views except if any or multiple-interfaces are applied in policy.
o If it is grayed out, likely that one or more policies have used any or multiple-interfaces.

By Sequence:
By Sequence displays policies in order that they are checked for matching the traffic.
By Sequence displays policies in Firewall are in order of matching without any grouping.
The FortiGate unit automatically changes the view on the policy list page to By Sequence.
Whenever there is a policy containing any or multiple-interfaces as Source or Destination.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Policy Table:

Column Heading Description

ID Sequence number of the policy created.
Name Name of the Policy
From Source Interface or Interfaces
To Destination Interface or interfaces
Source Source Addresses, User or Device Type
Destination Destination Addresses
Schedule Policy Schedule
Service Policy Services
Action Policy Action Accept or Deny
NAT Policy NAT Status NAT enable or Disable
Security Profiles Select the security profiles to apply to the policy.
Log Traffic Logging Status
Bytes Traffic hits the policy in Bytes
status Policy Status
Hit Count Policy Traffic Counter

Add or Remove Columns:

Right, a column header or click the gear icon on the left side of the header row that appears
when hovering the cursor over the headers. Select columns to add or remove. Click Apply.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Create Column Filter:
Click the filter icon on the right side of the column header. Choose a filter type from the
available options. Enter the filter text or select from the available values. Click Apply

Copy and Paste:

Policies can be copied and pasted to create clones. Right-click on the policy sequence number
then select Copy Policy from the pop-up menu. Right-click in the sequence number cell of the
policy that the new clone policy will be placed next to and select Paste Before or Paste After to
insert the new policy before or after the selected policy.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Editing Policies:
Policy information can be edited as required by either double clicking on the policy, selecting a
policy then selecting Edit from the toolbar, or by right-clicking on the sequence number of the
policy and selecting Edit from the right-click menu.

Policy Lookup:
o Policy lookup is based on Source_interfaces/Protocol/Source_Address/Destination_Address
o Policy Lookup that matches the source-port and destination-port of the given protocol.
o Use this tool to find out which policy matches specific traffic from a number of policies.
o After completing lookup, matching firewall policy is highlighted on the policy list page.
o This example uses to show how the TCP protocol to show how policy lookup works.
o In Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Multiple Interface & Any Policies:
Go to System -> Feature Visibility and under the Additional Features, allow the Multiple
Interface Policies and then click on Apply.

After enabling the feature, adding multiple interfaces or 'any' in a firewall policy on the
Graphical User Interface (GUI) is allowed and display.

Search Policy:
Type any word of policy name, port number, source, destination, service etc to search.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Policy Menu:
Right Click on any policy to display menu where can enable, disable Policy, Filter policy, copy
and past policy, can insert Empty policy, can show matching logs of specific policy, edit selected
policy, delete selected policy and last but not the least edit in CLI.

0 policy in the end is the default policy, which deny everything by default, cannot be deleted.
Disable policy is grayed out with red cross mark and the visible policy is enable.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717