Skip to main content
johnlloyd_13
johnlloyd_13
Explorer III
December 21, 2024
Question

Exempt traffic/public IP subnet for FW Policy inspection

  • December 21, 2024
  • 2 replies
  • 2080 views

hi,

i'm trying to create a FW policy (top most rule) to exempt/bypass selected public IP host/subnet for FW policy inspection. this for troubleshooting/logging purpose and to quickly react if a client escalated a complex issue.

can someone confirm if below logic is correct? do i use the same source address ("extempted-subnet" address group) for both inbound and outbound rule?

 

Rule #NameSource InterfaceDestination InterfaceSource AddressDestination AddressServiceAction
 Exemption Traffic - Inbound/Outbound      
1Allow Exempted Subnet Inboundinternet (egress interface)anyTo add customer public IP subnet in "extempted-subnet" Address GroupallN/AAccept
2Allow Exempted Subnet Outboundanyinternet (egress interface)To add customer Public IP subnet in "extempted-subnet" Address GroupallN/AAccept

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 21, 2024

Obviously Rule#1's Source and Destination addresses are reversed.

 

Toshi

    johnlloyd_13
    johnlloyd_13Author
    Explorer III
    December 21, 2024

    hi,

    thanks for your reply!

    the logic for rule 1 inbound is that source address coming from the public internet are my public ip subnet/range.

    so, should it be source address "all" to destination address "my public ip subnets"?

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    December 21, 2024

    Hi @johnlloyd_13 ,

     

    Your info is not clear.

     

    I assume that "extempted-subnet"  is for the internal local network. 

     

    If so, you need to use it for the destination address in the inbound firewall policy and use it for the source address in the outbound firewall policy.

     

    Imagine the traffic flow:

     

    Inbound traffic flow is from Internet to access the internal local network;

    Outbound traffic flow is from the internal local network to access the Internet.

      Durga_Ashwath
      Staff
      Durga_Ashwath
      Staff
      December 21, 2024

      To create a top-most firewall policy on a FortiGate to exempt/bypass inspection for a selected public IP host or subnet (e.g., for troubleshooting or logging purposes), your approach can vary depending on the direction of the traffic and whether it is inbound or outbound. Here's a breakdown of the logic:

      1. Key Considerations
      Inbound traffic: This is traffic initiated from the Internet towards your internal resources.
      Outbound traffic: This is traffic initiated from your internal network towards the Internet.
      The source address and destination address depend on the direction of traffic you want to exempt from inspection.

      2. General Rule Logic
      Inbound Traffic Exemption (From Internet to Internal Network)
      Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
      Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.
      Action: Accept (or deny if needed for troubleshooting).
      NAT: Disabled (unless you require SNAT).
      Inspection: Set profiles to "None" to bypass inspection.
      Example:
      Source: exempted-traffic-subnet
      Destination: internal-server (mapped public IP or real IP)
      Schedule: Always
      Action: Accept
      Profiles: None
      Outbound Traffic Exemption (From Internal Network to Internet)
      Source Address: Internal subnet/IP of the device generating the traffic.
      Destination Address: Public IP/subnet you want to exempt (e.g., exempted-traffic-subnet).
      Action: Accept.
      NAT: Enabled (to masquerade internal traffic as the FortiGate's WAN IP).
      Inspection: Set profiles to "None" to bypass inspection.
      Example:
      Source: internal-network
      Destination: exempted-traffic-subnet
      Schedule: Always
      Action: Accept
      Profiles: None
      3. For Both Directions (Bi-Directional Exemption)
      If you need to exempt the same exempted-traffic-subnet for both inbound and outbound traffic:
      Create two separate rules:
      One for inbound traffic.
      One for outbound traffic.
      Alternatively, create a single rule covering both directions by defining both source and destination as exempted-traffic-subnet. This works if the same subnet is both the source (outbound) and destination (inbound).
      4. Example Rule Placement
      Place the exemption rule at the top of the policy list to ensure it is evaluated first.
      Subsequent rules will not apply to traffic matching this exemption rule.
      5. Verification
      Use FortiGate's logging to ensure traffic matches the exemption rule:
      diagnose debug flow
      Monitor real-time logs in Log & Report > Traffic Logs to confirm the traffic bypasses inspection.

        johnlloyd_13
        johnlloyd_13Author
        Explorer III
        December 21, 2024

        hi,

        just to confirm your item 2 (inbound rule), i should use the "extempted-subnet" address group (my public ip subnet/range/host) both as a source and destination address?

         

        2. General Rule Logic
        Inbound Traffic Exemption (From Internet to Internal Network)
        Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
        Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.

        Terms & ConditionsAccessibility statement