DescriptionThis article describes how to learn policy in IPv4 policy.SolutionWhen installing a new FortiGate, the first policy set up is usually one that goes from the inside to the Internet with fairly little in the way of restrictions. After all, make sure to be able to connect to things before the access is limited for policy reasons.
Once this first connection is verified and that everyone can access the Internet it is time to start locking things down.Take that first policy, the one that most outbound traffic will be going through.
When it was first set up, the action field was set to ACCEPT.The options for this field are ACCEPT, DENY, LEARN, and IPsec.
- ACCEPT allows all match traffic to go through the policy.- DENY drops all of the matching packets.- IPsec is for setting up IPsec VPN policies.
The option that interests us now is LEARN.
The purpose of this particular option is to make it easier for the system administrator to learn what sort of traffic is occurring on the network.
When the LEARN option is selected, a few things will be going on in the background.
The first thing to notice is that all of the Security Profile options that are normally seen in the configuration window will no longer be displayed.
This is not necessary because a number of predefined, hard coded profiles have been assigned to the policy.
- Are all flow-based.
- Are static and cannot be changed.
- Have SSL inspection disabled.
- Are configured to monitor all the traffic that goes through the policy.
Profiles not included are:
- DNS Filter – There is no Flow mode for this profile.
- Web Application Firewall – There is no Flow mode for this profile.
- SSL deep inspection. Without SSL inspection, turning on CASI serves little purpose).