Multiple sources and destinations?

Forum|Forum|12 years ago
November 15, 2013
3 replies
7090 views

When hammering out the config file for the FortiGate 1000C that I' m working on, some interesting questions came up. Many of the rules I' m writing are bi-directional between two addresses or address groups. When writing a single policy, is it possible to: 1.) Specify multiple srcaddrs?

set srcaddr srcaddr1 srcaddr2 ... srcaddrN

2.) Specify multiple dstaddrs?

set dstaddr dstaddr1 dstaddr2 ... dstaddrN

3.) Specify multiple services?

set service service1 service2 ... serviceN

4.) Specify multiple interfaces?

set srcintf srcintf1 srcintf2 ... srcintfN

set dstintf dstintf1 dstintf2 ... dstintfN

If not, I would simply have to copy-pasta the rules and swap some stuff around in order to allow reverse traffic. Not a big deal with some shell magic, but still a little painful.

Jordan_Thompson_FTNT

Staff

1, 2 and 3 are possible in most releases. 4 (multiple interfaces) is possible only in FortiOS 5.0.3 and newer.

emnoc

New Member

For multiple address you want to look at the firewall address groups For services, you can look at service groups

Cz80154.jpg

ede_pfau

SuperUser

#4 is possible in quite every release of FortiOS, via zones. A zone is a container for interfaces which can be used like a standard interface. But there might be restrictions if you have to use an interface as such in policy A and as part of a zone in policy B. Apart from that, are you sure that you have to have reverse policies for each and every policy? A policy does not allow traffic flow but session setup. A session includes the initial request and the reply traffic. In projects I usually encounter reverse policies only between HQ and branch offices (via VPN tunnel) so that each side can open the tunnel. And that' s not even the rule but the exception.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded