Trust to Untrust Policy Question

Forum|Forum|15 years ago
December 15, 2010
2 replies
5459 views

Hi, If I have the first policy in the trust > untrust with ALL, ALL, ANY, ACCEPT then do I need other policies below that allowing the same access from Trust to Other Networks on my WAN. I think the first rule should conver ANYTHING from trust to untrust so I don' t need further rules. Thanks for any input!

ede_pfau

SuperUser

Hi, and welcome to the Forums! Coming from Netscreen/Juniper, eh? You' re right, a policy that wide open covers all traffic from internal to WAN (this is FortiSpeak). The destination ALL or ' 0.0.0.0' stands for all networks and is most often used on WAN interfaces. You' ll find yourself working with interfaces a lot more than you' re used to. But, there is a zone construct in FortiOS as well. It combines several interfaces so that it can replace multiple policies with just one. You can allow or deny intra-zone traffic. If you want to create a zone, you have to do that before referencing the member interfaces elsewhere. Common scenario for a zone: combine multiple VPN tunnel ends into a VPN zone for a hub-and-spoke VPN.

A

Anonymous_UserAuthor

Contributor

Thank you Ede, and yes coming from netscreen' s...hahah Josh

emnoc

New Member

When I see trust and untrust I too think " netscreen" since I' m a netscreen kinda of guy and been working with them years before fortigates. If that' s all of the policies that you need, then you are correct that you don' t need anything else. A lot of organizations are restricting what they are allowing in out, so keep that in mind. If you need this kinda of policing, then create a service list of the service that you want to trust outbound. You can create this quite easily thru the webUI by selection of services.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded