Skip to main content
fernet17
fernet17
New Member
December 8, 2017
Question

Policy order

  • December 8, 2017
  • 2 replies
  • 9095 views

Hi,

it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?

 

Thanks!

Ueli

    2 replies

    Markus
    Markus
    New Member
    December 12, 2017

    Hi Ueli It's (more or less) of concern (depends of traffic/modell) and it still make sense.

     

    Best,

    Markus

    tanr
    tanr
    New Member
    December 12, 2017

    A few important notes on this.

     

    If your policies are all specified by interface --> interface (that is, you don't have policies that include "any" interface) then I think (others may correct me) that the FortiGate can quickly focus on just the rules for the incoming and outgoing interface.

     

    Probably obvious, but remember that though you can try to have policies that involve larger traffic volumes listed earlier, you must have the more specific rules come before more general rules, otherwise the more specific rules won't get matched.

    Iescudero
    Iescudero
    New Member
    December 13, 2017

    Hi there!

    You´re correct fernet17. You can found the same criteria in this oficial document:

     

    https://docs.fortinet.com/uploaded/files/1954/Best_Practices_52.pdf

    Page 20:

    "...Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy..."

     

    Hope it helps!

    rwpatterson
    rwpatterson
    New Member
    December 13, 2017

    fernet17 wrote:

    Hi,

    it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?

     

    Thanks!

    Ueli

    What is being missed here is the assumption that the most general policy(s) is also the largest volume policy. We need to compare apple to apples. The amount of volume may not be necessarily the most general policy. The amount of volume a policy handles shouldn't be the basis of your criteria for ordering policies.

    emnoc
    emnoc
    New Member
    December 14, 2017

    Agreed,

     

    Example , I could have file transfer  that generates tons of volume ( SMB/SFTP/FTP/NFS/etc..... ) but that  does not make it the more general policy.

     

     

    2nd, example

     

    In my day job we have fwppolicy in excess of 40k  secs  and some times 80k sec  and  numerous  data (  SQL ), again that  does not make it the most general policy.

     

     

    just my  2cts input ;)

     

    Ken

    Terms & ConditionsAccessibility statement