Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
david_harris
New Contributor

What is the benefit of setting the ingress/egress interfaces in FW policy?

Hello all

 

Quite new to fortinet. I am faced with a manual effort in setting in/out interfaces across >700 lines converted from a check point FW. Do i need to do this? I thought it was the Forti version of anti-spoofing however I read that this is enabled regardless.

 

I have not been able to find anything related to my question and fortinet docs dont explain it or give adequate exampled besides using the 'any' interface

 

So what is the point in setting them in firewall policy?

 

 

thanks

2 REPLIES 2
SecurityPlus
Contributor II

You can use a Zone which once configured will contain 1 or more interfaces. https://docs.fortinet.com...0/cookbook/116821/zone
emnoc
Esteemed Contributor III

To give an example, if you use "any" in the interface setting that really means just that "any". If you do not want that or require this , then set the srcintf/dstintf.

 

What is driving this requirement? Security audits? And yes the converter tool does an okay job but in chkpoint your interface is bound to a zone, the same in palo and jnpr also. So the policy are src/dst zone based.

 

A fortinet is not a zone-base firewall ( by default )  but you could enable zone-based if so desired but once you go to zone you can't peel a single interface out if you ever want to or think you need todo that

 

You can also intermix src/dst-zones and src/dst-interfaces in a policy , so you do NOT have to put all interfaces into a zone. Also if your planning to go go zones, any interface tied with a policy has to be deleted. So keep that in mind, zone in some cases does have advantage based on your topology and the number of policies or in some case some people are tired of seeing numerous interfaces on a single-line

 

e.g

 

config firewall policy

    edit 834

        set uuid 6109d3c2-b4e4-51eb-548f-7b34dbca756a

        set srcintf "vlan19" "vlan10" "vlan11" "vlan189"

        set dstintf "vpntun_802"

        set srcaddr "B2B_GROUP_20130111-L2K3"

        set dstaddr "B2B_GROUP_20130112-LNM2"

        set action accept

        set schedule "always"

        set service "B2B_GENERIC_POLICY1-SRV"

    next

end

 

 

YMMV but you have to weigh out what you really want, what you and your team need are. Typically if you come from checkpoint/forcepoint/palo/juniper you stay with zones from my experience. If your doing this more for cosmetic or ease of auditing.

 

I personally hate seeing src/dst interfaces with any and any src/dst address. You can accidentally open up things if you do not pay attention.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors