Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Serxhio
Staff
Staff

Created on ‎06-24-2024 09:03 AM

Article Id 322190

Technical Tip: Policy re-evaluation (NGFW policy-based mode)

Description This article describes the traffic re-evaluation that occurs after hitting a deny policy in NGFW policy-based mode.
Scope FortiGate.
Solution

If the traffic that matches a deny policy will be subject to a change in the configuration, the traffic’ session will not be re-evaluated.

 

Consider an example with a valid session, accepted by a security policy:

 

host_A (IP 10.122.4.123)host_A (IP 10.122.4.123)

 

ngfwid=1ngfwid=1

 

The screenshots below show what occurs once this traffic hits a deny policy. (In this scenario, the source address of the intended traffic is removed by the source object on the security policy. As a result, the traffic will hit the implicit deny policy.)

 

3.PNG

 

ngfwid=0ngfwid=0 

Adding the source back on policy 1. The traffic is still denied, still hitting implicit policy.

Traffic will not be re-evaluated anymore.

 

This is a behavior by design in NGFW policy-based mode.

 

To re-evaluate the traffic, the session will need to be re-established or clear the active session from the session table.

A new session will be valuated as per Security Policy Rules.
126
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.