Description
This article explains how the security profiles are applied in a FortiGate.
Scope
FortiGate, all versions.
Solution
As in all network equipment, the communication with the exterior of the hardware is done via ports/interfaces.
Where these ports are connected (LAN/WAN) is completely irrelevant for the network device, even though roles can be defined for better display in the GUI.
The direction of traffic is dictated by routing, routing policies, and further allowed/filtered/denied by the firewall policies configured.
As a result, there is no concept of 'direction' when it comes to security profiles. They are applied to the traffic that matches a policy, in the direction of that policy.
Depending on the placement of the device (edge, internal segmentation, firewall), a FortiGate can pass traffic from LAN to WAN, from WAN to WAN, or from LAN to LAN: all while having different security profiles applied according to the individual setup needs. This does not, at any moment, imply that these security profiles are meant to function in one direction only (e.g. LAN to WAN).
The only limitation is resources available on FortiGate, and logic (i.e. it does not make any sense at all to apply a Webfilter profile for the incoming traffic to the FortiGate VIP for WAN to LAN traffic, but this is not impossible. As long as FortiGate has resources to inspect/filter the traffic, it can be applied and will function this way as well).
This applies to all security profiles.
