Description
This article describes how policy order works on FortiGate.
Scope
FortiGate all versions.
Solution
After a policy is created, reorder the policy rules as necessary.
The policies are consulted from top to bottom.
The first rule that matches is applied and subsequent rules are not evaluated.
On FortiGate firewall how firewall policies work is the concept of precedence of order or a more recognizable term, 'first come, first served'.
It is highly likely that even after only a relatively small number of policies have been created that there will be some that overlap or are subsets of the parameters that the policies used to determine which policy should be matched against the incoming traffic.
When this happens there has to be a method to determine which policy should be applied to the packet.
The method which is used by most firewalls is based on the order of the sequence of the policies.
If all of the policies were placed in a sequential list, the process to match up the packet would start at the top of the list and work its way down.
It would compare information about the packet, specifically these points of information:
- The interface of the packet connected to the FortiGate.
- The source of the packet. This can include variations of the address, user credentials or unit.
- The destination of the packet. This can include address or Internet service
- The interface the packet would need to use to get to the destination address based on the routing table.
- The service or port the packet is destined for.
- The time that the packet connected to the FortiGate.
As soon as a policy is reached that matches all of the applicable parameters, the instructions of that policy are applied and the search for any other matching policies is stopped.
All subsequent policies are disregarded.
Only 1 policy is applied to the packet.
If there is no matching policy among the policies that have been configured for traffic the packet finally drops down to what is always the last policy.
It is an implicit policy. One of a few that are referred to by the term 'policy0'. This policy denies everything.
The only setting that is editable in the implicit policy is the logging of violation traffic.
A logical best practice that comes from the knowledge of how this process works is to make sure that the more specific or specialized a policy is, the closer to the beginning of the sequence it should be.
The more general a policy is the higher the likelihood that it could include in its range of parameters a more specifically targeted policy. The more specific a policy is, the higher the probability that there is a requirement for treating that traffic in a specific way.
