Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎03-22-2022 10:42 PM Edited on ‎08-30-2024 02:59 AM By Moderator

Article Id 207381

Technical Tip: How policy order works on FortiGate

Description

 

This article describes how policy order works on FortiGate.

 

Scope

 

FortiGate all versions.

 

Solution

 

After a policy is created, reorder the policy rules as necessary.

The policies are consulted from top to bottom.

The first rule that matches is applied and subsequent rules are not evaluated.

 

On FortiGate firewall how firewall policies work is the concept of precedence of order or a more recognizable term, 'first come, first served'.

 

It is highly likely that even after only a relatively small number of policies have been created that there will be some that overlap or are subsets of the parameters that the policies used to determine which policy should be matched against the incoming traffic.

When this happens there has to be a method to determine which policy should be applied to the packet.

The method which is used by most firewalls is based on the order of the sequence of the policies.

 

If all of the policies were placed in a sequential list, the process to match up the packet would start at the top of the list and work its way down.

It would compare information about the packet, specifically these points of information:

 

  • Incoming Interface: The network interface through which the packet enters the FortiGate.
  • Source Information: This encompasses the packet's source IP address, user credentials, or device identifier.
  • Destination Information: This includes the packet's destination IP address or Internet services.
  • Outbound Interface: The interface the packet will use to reach its destination, determined by the routing table.
  • Service/Port: The specific service or port the packet is targeting.
  • Time of Connection: The exact time the packet is processed by the FortiGate.

 

As soon as a policy is reached that matches all of the applicable parameters, the instructions of that policy are applied and the search for any other matching policies is stopped.

All subsequent policies are disregarded.

Only 1 policy is applied to the packet.

 

If there is no matching policy among the policies that have been configured for traffic the packet finally drops down to what is always the last policy.

It is an implicit policy. One of a few that are referred to by the term 'policy0'.  The default action for the implicit policy is to deny every traffic.

 image.png.

 

The only setting that is editable in the implicit policy is the logging of violation traffic.

 

A logical best practice that comes from the knowledge of how this process works is to make sure that the more specific or specialized a policy is, the closer to the beginning of the sequence it should be.

The more general a policy is the higher the likelihood that it could include in its range of parameters a more specifically targeted policy. The more specific a policy is, the higher the probability that there is a requirement for treating that traffic in a specific way.

Related article:
Technical Tip: Firewall policy lookups

Labels:
26757
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.