Firewall Policies

Firewall Policies

The firewall policies of the FortiGate are one of the most important aspects of the appliance. There are a lot of building blocks and configurations involved in setting up a firewall and it within the policies that a lot of these components come together to form a cohesive unit to perform the firewall’s main function, analyzing network traffic and responding appropriately to the results of that analysis.

There are a few different kinds of policies and in most cases these are further divided into IPv4 and IPv6 versions:

  • IPv4 Policy – used for managing traffic going through the appliance using IPv4 protocols l IPv6 Policy – used for managing traffic going through the appliance using IPv6 protocols l NAT64 Policy – used for managing traffic going through the appliance that converts from IPv6 on the incoming interface to IPv4 on the outgoing interface
  • NAT46 Policy – used for managing traffic going through the appliance that converts from IPv4 on the incoming interface to IPv6 on the outgoing interface
  • Multicast Policy – used to manage traffic sent to multiple destinations l IPv4 Access Control List – used to filter out packets based on specific IPV4 parameters. l IPv6 Access Control List – used to filter out packets based on specific IPV6 parameters. l IPv4 DoS Policy – used to prevent malicious or flawed packets on an IPv4 interface from denying access to users. l IPv6 DoS Policy – used to prevent malicious or flawed packets on an IPv6 interface from denying access to users.

Because the policy determines whether or not NAT will be used, it is also import to look at how to configure: l Central SNAT – used for granular controlling when NATing is in use.

Viewing Firewall Policies

To find a Policy window, follow one of these path in the GUI:

  • Policy & Objects> IPv4 Policy l Policy & Objects> IPv6 Policy l Policy & Objects> NAT64 Policy l Policy & Objects> NAT46 Policy l Policy & Objects> Proxy Policy l Policy & Objects> Multicast Policy

You may notice other policy options on the left window pane such as:

  • Policy & Objects> IPv4 DoS Policy l Policy & Objects> IPv6 DoS Policy l Policy & Objects> Local InPolicy

These are different enough that they have their own descriptions in the sections that relate to them.

Viewing Firewall Policies

Menu Items

There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:

l Create New button l Edit button l Delete button l Search field l Interface Pair View– Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in. l By Sequence– Displays the policies in the order that they are checked for matching traffic without any grouping.

Menu items not shared by all policies

l Policy Lookup – (IPv4, IPv6 ) l NAT64 Forwarding – (NAT64)

The Table of Policies

Columns

The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.

The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.

To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.

To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.

One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.

Policy Names

How “Any” policy can remove the Interface Pair View

The FortiGate unit will automatically change the view on the policy list page to By Sequence whenever there is a policy containing “any” as the Source or Destination interface. If the Interface Pair View is grayed out it is likely that one or more of the policies has used the “any” interface.

By using the “any” interface, the policy should go into multiple sections because it could effectively be any of a number of interface pairings. As mentioned, policies are sectioned by using the interface pairings (for example, port1 -> port2) and each section has its own specific policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies as a whole but if the policy is in multiple sections at the same time there is no mechanism for placing the policy in a proper order within all of those sections at the same time because it is a manual process and there is no parameter to compare the precedence of one section or policy over the other. Thus a conflict is created. In order to resolve the conflict the FortiGate firewall removes that aspect of the sections so that there is no need to compare and find precedence between the sections and it therefore has only the Global View to work with.

Policy Names

Each policy has a name field. Every policy name must be unique for the current VDOM regardless of policy type. Previous to FortiOS 5.4, this field was optional.

On upgrading from an earlier version of FortiOS to 5.4, policy names are not assigned to old policies, but when configuring new policies, a unique name must be assigned to the policy.

Configuring the Name field

GUI

In the GUI, the field for the policy name is the first field on the editing page.

CLI

In the CLI, the syntax for assigning the policy name is:

config firewall [policy|policy6] edit 0 set name <policy name> end

Disabling Policy name requirement

While by default the requirement of having a unique name for each policy is the default, it can be enabled or disabled. Oddly enough, if disabling the requirement is a one time thing, doing it in the CLI is more straightforward.

 

IPv4

This setting is VDOM based so if you are running multiple VDOMs, you will have to enter the correct VDOM before entering the CLI commands or turning the feature on or off in the GUI.

GUI

To edit the requirement in the GUI, the ability to do so must be enabled in the CLI. The syntax is:

config system settings set gui-allow-unnamed-policy [enable|disable] end

Once it has been enabled, the requirement for named policies can be relaxed by going to System > Feature Visibility. Allow Unnamed Policies can be found under Additional Features. Here you can toggle the requirement on and off.

CLI

To change the requirement in the CLI, use the following syntax:

config system settings set gui-advance policy [enable|disable] end

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Firewall Policies

  1. alian944

    hi,
    The order of policy can reduce the performance of the firewall? We need to respect an order for the policies with the most hits?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.