FGT VIP and Firewall Policy Order

Forum|Forum|1 year ago
January 20, 2025
3 replies
1828 views

hi,

i'm going to configure a new FGT.

is it preferred to put/configure ALL VIP/DNAT rules on top then put ALL FW policy/SNAT afterwards?

can someone advise what's the best practice in FGT?

FortiGate

kmohan

Staff

Hello John

For VIP configuration, you can follow below kb articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

srajeswaran

Staff

Fortigate performs Destination NAT lookup first then do a policy match and then only source NAT rules comes in to picture, so ideally the order based on the DNAT/SNAT based policies are not going to make any difference.

You may place the policies that is expected to have high number of hits on top , this can help in scenarios where a session re-validation is required.

Below document explains the packet flow in FGT.
https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading

johnlloyd_13Author

Explorer III

hi,

thanks for your responses! appreciate it.

one last question, if i got 2x interfaces (using private IP) in FGT that would need to communicate, do i just create 2x FW policy (only allowing specific service, i.e. 443, 53, icmp): one outbound and one inbound WITHOUT NAT?

i.e, port 1: 192.168.1.0/24 <> FGT <> port 2: 172.16.1.0/24

srajeswaran

Staff

Ideally creating policy without NAT is expected to work (assuming FGT is the gateway for these 2 subnets). If the gateway is different you need to enable source NAT.

johnlloyd_13Author

Explorer III

hi,

yes, the FGT (interface IP) is the default GW for these 2x private subnets.

just to confirm, i'll need to create 2x FW policy for inbound and outbound traffic correct?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded