firewall policy creation

Forum|Forum|7 years ago
November 13, 2018
2 replies
3518 views

trying my best to adopt how fortigate works in my network most esp in firewall policy. this questions boggles me , in which section of Life of Packet could explain why do we need to create reverse policy if traffic is originated from LAN to other local network and vice-versa. Whereas, as LAN-External traffic doesn't require a reverse rule to send back the reply from the original sender.

anyone could shed me to the right direction? thank you

emnoc

New Member

What do you mean reverse-policy, traffic is stateful and the firewall maintains "state" ( tcp.ack.seq.src/dst-port ...) I never have created reverse-policy btw.

Maybe if you where running asymmerical which is not good and defeats the purpose of a stateful-FW

Ken Felix

sw2090

SuperUser

you need a reverse rule/policy ony if you have native traffic coming this direction.

to simplify:

if just you want to reach a pc in the other subnet you need a forward policy from your net to the other one but no reverse rule/policy. THat would be native traffic from you to there. This includes answers on your packets.

if the pc in the other net should be able to contact you itself you need a reverse rule too since that would be native traffic from there to you.

Additionally if you enabled NAT in your policy you also don't need a reverse rule/policy at all since NAT does that for you already ;)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded