Skip to main content
Markus_Albisser
Markus_Albisser
New Member
April 5, 2019
Solved

Access list versus Next-Gen firewall?

  • April 5, 2019
  • 1 reply
  • 4683 views

Hi all

 

We soon will start with Fortinet NGFW devices in our company. We have an internal discussions about how to protect the inside -> out traffic which pass this new Fortinet. Until now, we had a Cisco device with "ip inspect" or "ZBFW" enabled. But this was not a NGFW with addtional security features, therefore we had an access list on the inside interface which just allowed the well-known traffic to the Internet. And in general, this was the source address of the proxy server plus several applications which needed a direct access.

 

Now it comes to the question, do we still need this ACL on the inside interface? There are NGFW features now which protects and controls the traffic. And is an ACL still the correct way as this "only" goes on destination IP addresses/Ports and not on applications? Is it worth to do this additional work to have another security layer from inside -> out?

 

I am wondering how other companies handles this topic, if it is good enough to have the NGFW in place or if any other features are in place.

 

I really appreciate your feedback. Thanks a lot!

Markus

    Best answer by emnoc

    The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on  what you tell it to inspect ( URL AV AS  etc....)

     

    BTW:  You are confusing the two due to a cisco VBFW is not a layer7 aware security function

     

     

    Ken Felix

     

    1 reply

    lobstercreed
    lobstercreed
    New Member
    April 5, 2019

    I'm not sure I've fully wrapped my head around your old setup, but I definitely see no reason for that additional layer with a FortiGate.  We actually do use very restrictive firewall policies for outbound traffic to only allow the well-known traffic you're talking about.  Basically in my experience if there's a design you want to achieve, the FortiGate is capable of doing it...it just might take some learning how it works.

    emnoc
    emnocAnswer
    New Member
    April 5, 2019

    The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on  what you tell it to inspect ( URL AV AS  etc....)

     

    BTW:  You are confusing the two due to a cisco VBFW is not a layer7 aware security function

     

     

    Ken Felix

     

    Markus_Albisser
    Markus_AlbisserAuthor
    New Member
    April 8, 2019

    Hi Lobstercreed and Kevin

     

    Thank you for your inputs here. Indeed, there is this new inspection we will have with Fortigate, our current setup with the Cisco ISR routers is not L7 aware, it is only up to layer 4. And because we then have the Fortigate as a NGFW I would assume a further restriction to destination IP address/ports is no longer needed. 

     

    So did I got it right from your statement that you support a setup where the NGFW features are enabled in the Fortigate and no additional restrictions on the inside -> out path based on destination IP addresses and ports are needed?

     

    Thank you

    Markus

    Terms & ConditionsAccessibility statement