fernet17
New Contributor

Policy order

Hi,

it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?

 

Thanks!

Ueli

5 REPLIES 5
Markus
Valued Contributor

Hi Ueli It's (more or less) of concern (depends of traffic/modell) and it still make sense.

 

Best,

Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

tanr
Valued Contributor II

A few important notes on this.

 

If your policies are all specified by interface --> interface (that is, you don't have policies that include "any" interface) then I think (others may correct me) that the FortiGate can quickly focus on just the rules for the incoming and outgoing interface.

 

Probably obvious, but remember that though you can try to have policies that involve larger traffic volumes listed earlier, you must have the more specific rules come before more general rules, otherwise the more specific rules won't get matched.

Iescudero

Hi there!

You´re correct fernet17. You can found the same criteria in this oficial document:

 

https://docs.fortinet.com/uploaded/files/1954/Best_Practices_52.pdf

Page 20:

"...Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy..."

 

Hope it helps!

rwpatterson
Valued Contributor III

fernet17 wrote:

Hi,

it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?

 

Thanks!

Ueli

What is being missed here is the assumption that the most general policy(s) is also the largest volume policy. We need to compare apple to apples. The amount of volume may not be necessarily the most general policy. The amount of volume a policy handles shouldn't be the basis of your criteria for ordering policies.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

Agreed,

 

Example , I could have file transfer  that generates tons of volume ( SMB/SFTP/FTP/NFS/etc..... ) but that  does not make it the more general policy.

 

 

2nd, example

 

In my day job we have fwppolicy in excess of 40k  secs  and some times 80k sec  and  numerous  data (  SQL ), again that  does not make it the most general policy.

 

 

just my  2cts input ;)

 

Ken

PCNSE 

NSE 

StrongSwan