Policy views and policy lookup

Policy views and policy lookup

This topic provides a sample of firewall policy views and firewall policy lookup.

Policy views

In Policy & Objects policy list page, there are two policy views: Interface PairView and By Sequence view.

Interface PairView displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For example, all policies referencing traffic from WAN1 to DMZ are in one section. The policies referencing traffic from DMZ to WAN1 are in another section. The sections are collapsible so that you only need to look at the sections you want.

By Sequence displays policies in the order that they are checked for matching traffic without any grouping.

The default display is Interface PairView. You can switch between the two views except if any or multiple-interfaces are applied in the policy.

How Any or multiple-interfaces policy can change the Interface Pair View

The FortiGate unit automatically changes the view on the policy list page to By Sequence whenever there is a policy containing any or multiple-interfaces as the Source or Destination interface. If the Interface PairView is grayed out, it is likely that one or more policies have used the any or multiple-interfaces.

When you use the any or multiple-interfaces, the policy goes into multiple sections because it might be any one of a number of interface pairings. Policies are divided into sectioned using the interface pairings, for example, port1 to port2.

Each section has its own policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies. If the policy is in multiple sections, FortiGate cannot place the policy in order in multiple sections. Therefore the view can only be By Sequence.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_

Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.

The Policy Lookup tool has the following requirements:

  • Transparent mode does not support Policy lookup function.
  • When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.

Sample configuration

This example uses the TCP protocol to show how policy lookup works:

  1. In Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.
  2. Click Search to display the policy lookup results.
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.