Skip to main content
A
Anonymous_User
Contributor
December 18, 2011
Question

Firewall rules actions

  • December 18, 2011
  • 2 replies
  • 9047 views
Hi there, I am quite a new on Fortigates world and want to check the following. 1. If the action for the firewall rule is set to " ACCEPT" that means that means that also an opposite traffic is allowed? For example on Cisco in Zone based firewalls I have two possible actions " Permit" and " INSPECT" . While the " INSPECT" allows also opposite traffic, " PERMIT" allows traffic only in one direction. What are the analogues in FortiOS? Thanks!

    2 replies

    billp
    billp
    New Member
    December 19, 2011
    Yes. " Accept" allows traffic in both directions.
    ether
    ether
    New Member
    December 25, 2011
    Wow, seriously? So if I set an accept policy for Internal/all/http -> WAN/all/http, it also allows all http traffic inbound???
    billp
    billp
    New Member
    December 27, 2011
    Wow, seriously? So if I set an accept policy for Internal/all/http -> WAN/all/http, it also allows all http traffic inbound???
    First -- I hope I have understood the question here. This policy would allow all originating and RETURN traffic that originated with that firewall rule. It doesn' t open up your firewall to all incoming traffic from any source. I hope that' s clear. I' ve worked with some firewalls where it was necessary to create separate rules on both the LAN and WAN side for all traffic. Fortinet is not like that. A single rule will allow return traffic. If you want to accept traffic that originated from WAN --> LAN, you would need to explicitly create a rule for that. For example, if you had an internal web/ftp site. And this rule, conversely, would allow allow the corresponding LAN --> WAN return traffic that originated with that rule. Handshake -- hopefully the above answers your question as well.
    ether
    ether
    New Member
    December 27, 2011
    Ah, yes. That would make a lot more sense. Thanks for humoring me ;)
    claumakurumure
    claumakurumure
    New Member
    February 2, 2012
    To add for incoming traffic you need to create a VIP and in your Firewall rule you do not NAT. for outgoing you need to NAT and thus need only one firewall rule to accept return traffic (established sessions only).
    Terms & ConditionsAccessibility statement