Probably Dumbest Question Ever Asked on This Forum

Question

Hi All,

I am new to the Fortigate world. In the past, the firewalls I worked with had an explicit rule for traffic from the WAN to LAN. The Fortigate does not have this by default, but instead has an implicit deny all. So unless traffic matches a rule, it is blocked by the implicit rule. My question is surrounding security policies then. If I do not have a rule for WAN to LAN, how do I apply security policies, like SSL filtering, to traffic coming from WAN to LAN? Do I need to on the Fortigate? Thanks.

lobstercreed · Answer

TL;DR - no you don't need those if no traffic is allowed from outside to inside.

Best way to answer this that I can think of is to think of the OSI model. If you're already blocking traffic at a lower layer (by IP address or TCP/UDP port) you don't need to consider the higher layers of that traffic. So it wouldn't matter that someone was trying to inject a virus or something if they couldn't get in the door in the first place. Where you want security profiles is to dig into traffic that is otherwise allowed at those lower layers.

Otherwise, if you're thinking about the "reverse" traffic from WAN to LAN for web browsing and the likes, that is always handled on the LAN to WAN policy (this would be the case on any stateful firewall). You'll want to apply any AV or web filtering, etc to the connections initiated by your users to the outside world.

Last thing: if you want to have logs of who's knocking on your door, you can always define an explicit deny from WAN -> LAN but honestly if you don't have any VIPs it won't be matching anything anyway.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded